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United  States  General  Accounting  Office 
Washington,  D.C.  20548 


August  21,  2001 

The  Honorable  Clay  Shaw 
Chairman,  Subcommittee  on  Social  Security 
Committee  on  Ways  and  Means 
House  of  Representatives 

Dear  Mr.  Chairman: 

As  the  Social  Security  Administration  (SSA)  strives  to  meet  its  future 
challenge  of  delivering  high-quality  customer  service  in  the  face  of 
increases  in  both  workloads  and  in  the  number  of  retirements  of  its 
experienced  workforce,  it  needs  to  identify  strengths  and  weaknesses  with 
its  agencywide  operational  and  managerial  capabilities.  Evaluating  SSA’s 
management  of  information  technology  (IT)  is  a  critical  part  of  efforts  to 
assess  whether  the  agency  is  adequately  addressing  these  capabilities.  As 
you  requested,  our  objective  was  to  evaluate  SSA’s  IT  policies,  procedures, 
and  practices  in  the  areas  of  investment  management,  enterprise 
architecture,  software  acquisition  and  development,  information  security, 
and  human  capital.  These  five  areas  encompass  major  IT  management 
functions  and  are  recognized  by  the  industry  as  having  substantial 
influence  over  the  effectiveness  of  an  organization’s  operations. 

To  address  this  objective,  we  reviewed  SSA’s  policies  and  procedures  in 
each  of  the  five  key  areas  and  compared  them  against  applicable  laws, 
federal  guidelines,  and  industry  standards.  We  also  reviewed  selected  IT 
projects  and  activities  to  help  determine  if  SSA’s  practices  were  consistent 
with  its  own  policies  and  procedures,  as  well  as  with  federal  and  industry 
standards.  For  each  IT  area  we  reviewed,  we  depicted  our  evaluation 
results  and  judgments  on  the  current  state  of  SSA’s  policies,  procedures, 
and  practices  by  using  three  broad  indicators.  We  performed  our  work 
from  January  through  June  2001,  in  accordance  with  generally  accepted 
government  auditing  standards. 

On  July  9,  2001,  we  provided  a  detailed  briefing  to  your  office  on  the  results 
of  this  work.  The  briefing  slides  are  included  as  appendix  I.  The  purpose 
of  this  letter  is  to  provide  the  published  briefing  slides  to  you  and  to 
officially  transmit  our  recommendations  to  the  Acting  Commissioner  of 
Social  Security. 

In  brief,  we  reported  that  SSA  had  many  important  IT  management  policies 
and  procedures  in  place  in  each  of  the  five  areas,  but  did  not  always 
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Recommendations  for 
Executive  Action 


implement  them  consistently.  In  some  areas,  SSA  had  not  established 
certain  key  policies,  procedures,  or  practices,  essential  to  ensuring  that  its 
IT  is  effectively  managed.  We  noted  weaknesses  in  all  of  the  five  key  areas 
of  IT  management — particularly  in  investment  management  and  human 
capital  management — and  are  making  numerous  recommendations  to  the 
Acting  Commissioner  of  Social  Security  to  address  these  weaknesses.  The 
Acting  Commissioner  has  agreed  with  our  recommendations. 


To  improve  SSAs  IT  management  practices,  we  recommend  that  the  Acting 

Commissioner  of  Social  Security  direct  the  Chief  Information  Officer  and 

the  Deputy  Commissioner  for  Systems  to  complete  the  following  actions: 

In  the  investment  management  area, 

•  develop  and  implement  a  process  guide  that  establishes  the  policies, 
procedures,  and  key  criteria  for  conducting  the  IT  investment 
management  process  and  guiding  executive  staff  operations; 

•  develop  and  maintain  selection  criteria  that  include  explicit  cost, 
benefit,  schedule,  and  risk  criteria  to  facilitate  the  objective  analysis, 
comparison,  prioritization,  and  selection  of  IT  investments; 

•  analyze  and  prioritize  all  IT  investments  based  on  the  predefined 
selection  criteria  and  make  selection  decisions  according  to  the 
established  process; 

•  establish  and  annually  review  cost,  benefit,  schedule,  and  risk  life-cycle 
expectations  for  each  selected  investment; 

•  revise  the  IT  oversight  process  so  that  the  executive  staff  oversees  the 
comparison  of  actual  cost,  benefit,  schedule,  and  risk  data  with  original 
estimates  for  all  investments  to  determine  whether  they  are  proceeding 
as  expected  and,  if  not,  to  take  corrective  actions  as  appropriate; 

•  regularly  perform  post-implementation  reviews  of  IT  investments  and 
develop  lessons  learned  from  the  process; 

•  develop,  manage,  and  regularly  evaluate  the  performance  of  a 
comprehensive  IT  investment  portfolio  containing  detailed  and 
summary  information  (including  data  on  costs,  benefits,  schedules,  and 
risks)  for  all  IT  investments;  and 

•  implement  investment  process  benchmarking  so  that  measurable 
improvements  may  be  made  to  agency  IT  investment  management 
processes  based  on  those  used  by  best-in-class  organizations. 
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In  the  enterprise  architecture  area, 

•  establish  milestones  for  and  complete  key  elements  of  SSA’s 
enterprisewide  architecture,  including  (1)  finalizing  its  framework,  (2) 
updating  and  organizing  its  architectures  and  architecture  definitions 
under  the  framework,  and  (3)  reflecting  its  future  service  delivery  vision 
and  e-business  goals;  and 

•  effectively  implement  change  management  and  legacy  system 
integration  policies,  procedures,  and  processes  across  the  agency,  and 
set  target  dates  for  full  implementation  of  these  maintenance  processes. 

In  the  area  of  software  development, 

•  consistently  apply  the  requirements  management,  project  planning, 
project  tracking  and  oversight,  quality  assurance,  and  configuration 
management  policies  and  procedures  developed  by  the  software 
process  improvement  program  across  all  software  development  efforts; 
and 

•  develop  and  implement  a  procedure  to  grant  waivers  to  software 
development  projects  when  deviations  from  policies  and  procedures 
occur. 

In  the  information  security  area, 

•  strengthen  the  entitywide  security  framework  by  completing  policy/risk 
models  and  technical  system  standards  (security  settings)  for  SSA’s 
major  systems  platforms; 

•  develop  monitoring  techniques  and  corrective  actions  for 
noncompliance  for  the  major  systems  platforms;  and 

•  use  the  platform  security  settings  to  strengthen  security  for  each 
application  utilizing  these  platforms. 

In  the  human  capital  area, 

•  complete  an  assessment  of  the  Office  of  Systems’  current  and  future  IT 
knowledge  and  skill  needs; 

•  develop  and  maintain  an  inventory  of  the  Office  of  Systems’  current  IT 
staffs  knowledge  and  skills; 

•  determine  whether  a  gap  exists  between  current  and  future  IT  staff 
requirements  and  current  staffing; 

•  implement  workforce  strategies  that  support  the  results  of  this  gap 
analysis;  and 
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•  analyze  and  document  the  effectiveness  of  its  strategies  for  recruiting, 
training,  and  retaining  IT  personnel,  and  use  these  results  to 
continuously  improve  its  IT  human  capital  strategies. 


Agency  Comments  and 
Our  Evaluation 


In  providing  written  comments  on  a  draft  of  our  briefing,  the  Acting 
Commissioner  agreed  with  all  of  our  recommendations  and  identified 
various  actions  that  SSA  has  planned  or  undertaken  to  address  them.  SSA 
also  offered  updated  information  and  suggestions  for  revising  several 
specific  areas  of  our  briefing,  which  we  have  incorporated  where 
appropriate. 


Concerning  our  evaluation  of  its  information  security  performance,  SSA 
stated  that  it  has  now  completed  the  development  of  policy/risk  models 
and  technical  system  standards  for  its  major  system  platforms  and 
suggested  that  we  change  our  assessment  of  its  performance  in  five 
information  security  areas.  We  are  encouraged  that  SSA  has  reported 
completing  its  policy/risk  models  and  technical  system  standards; 
adherence  to  sound  models  and  standards  should  strengthen  the  security 
of  its  major  platforms  and  information  systems  environment.  However, 
because  these  models  and  standards  were  finalized  after  the  completion  of 
our  review,  we  have  not  had  an  opportunity  to  verify  their  implementation 
and  cannot,  therefore,  change  our  assessment  at  this  time.  Appendix  II 
contains  the  full  text  of  SSA’s  comments  and  suggested  revisions. 


As  agreed  with  your  office,  unless  you  publicly  announce  the  contents  of 
this  report  earlier,  we  plan  no  further  distribution  until  30  days  from  the 
date  of  this  letter.  At  that  time,  we  will  provide  copies  to  the  Acting 
Commissioner  of  Social  Security  and  to  the  Director,  Office  of  Management 
and  Budget,  as  well  as  to  other  interested  parties.  Copies  will  also  be 
available  at  our  Web  site  at  www.gao.gov. 

Should  you  or  your  office  have  any  questions  concerning  this  report,  please 
contact  me  at  (202)  512-6257,  or  Valerie  Melvin,  Assistant  Director,  at  (202) 
512-6304.  We  can  also  be  reached  by  e-mail  at  mcclured®  gao. gov  and 
melvinv@ gao . gov,  respectively.  Individuals  making  key  contributions  to  the 
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briefing  and  this  report  were  Michael  Alexander,  Yvette  R.  Banks,  Nabajyoti 
Barkakati,  John  Christian,  Lester  Diamond,  Thomas  F.  Noone,  Madhav 
Panwar,  Elizabeth  Roach,  and  Marcia  Washington. 


Sincerely  yours, 


David  L.  McClure 

Director,  Information  Technology  Management  Issues 
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GAO’s  July  9,  2001,  Briefing 
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Social  Security  Administration’s 
Management  of  Information  Technology 

Briefing  for  the  Subcommittee  on  Social  Security, 
Committee  on  Ways  and  Means,  House  of  Representatives 

July  9,  2001 
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Appendix  I 

GAO’s  July  9,  2001,  Briefing 


A 

(jT  0  Purpose  and  Outline 

Accountability  *  Integrity  *  Reliability 

Briefing  purpose: 

To  present  the  results  of  our  review  and  analysis  of  the  Social  Security  Administration’s 

(SSA)  management  of  information  technology  (IT) 

Briefing  outline: 

Slide: 

Objective,  Scope,  and  Methodology 

3 

SSA’s  IT  Profile 

4 

SSA’s  IT  Policies,  Procedures,  and  Practices 

12 

•  Investment  Management 

16 

•  Enterprise  Architecture 

36 

•  Software  Acquisition  and  Development 

46 

•  Information  Security 

55 

•  Human  Capital 

66 

2 
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Appendix  I 

GACPs  July  9,  2001,  Briefing 


Objective 

•  To  evaluate  SSA’s  information  technology  policies,  procedures,  and  practices  in  the  areas  of 
investment  management,  enterprise  architecture,  software  acquisition  and  development, 
information  security,  and  human  capital. 

Scope  and  Methodology 

•  We  reviewed  SSA’s  IT  policies  and  procedures  for  investment  management,  architecture, 
software  acquisition  and  development,  information  security,  and  human  capital,  and  compared 
them  with  applicable  laws  and  regulations,  federal  guidelines,  and  industry  standards. 

•  We  reviewed  selected  IT  projects  and  activities  to  determine  if  practices  complied  with  SSA’s 
policies  and  procedures  and  industry  standards,  and  sought  work  products  documenting  these 
practices,  where  applicable.  The  selected  projects  represent  a  mix  of  IT  projects  of  various 
costs  and  durations.  We  also  reviewed  activities  related  to  SSA’s  current  investments. 

•  Information  on  SSA’s  IT  profile  is  as  reported  by  the  agency;  we  have  not  independently 
validated  the  accuracy  of  this  information. 

•  We  conducted  the  review  at  SSA  headquarters  in  Baltimore,  MD.  We  conducted  our  work 
from  January  through  June  2001,  in  accordance  with  generally  accepted  government  auditing 
standards. 


•  We  obtained  comments  from  SSA  on  a  draft  of  this  briefing. 
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IT  Profile 

IT  Environment 


For  FY  2001,  SSA  estimates  that  it  will  spend  about  $741  million  on  IT  systems  and  projects 


•  548  operational  systems  and  projects,  totaling  about  $5 1 7  million  (70  percent  of  the  IT 
budget) 


•  265  system  acquisition  or  development  projects,  totaling  about  $224  million  (30 
percent  of  the  IT  budget) 


•  SSA  identified  10  major  IT  initiatives  in  its  Capital  Asset  Plan  and  Justification 
for  the  FY  2001  budget— representing  about  16.2  percent  of  the  FY  2001  IT  budget 
(including  workyears). 
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GAO’s  July  9,  2001,  Briefing 


Estimated  costs  for  major  IT  initiatives  for  FY  2001  (dollars  in  millions) 


MAJOR  IT  INITIATIVES 

Estimated  FY 
2001  Budget 

Estimated  Total  Life 
Cycle  Costs1 

Financial  Accounting  System  (FACTS) 

$19.0 

$107.0 

Managerial  Cost  Accounting  System  (MCAS) 

$2.0 

$8.0 

National  800  Number  Call  Center  Solution 

$10.0 

$74.0 

Talking  and  Listening  to  Customers 

$1.0 

$7.0 

Title  II  System  Redesign 

$25.0 

$201.0 

Electronic  Service  Delivery  (ESD)  Internet  Customer  Services 

$40.0 

$157.0 

Paperless  Program  Sendee  Centers 

$8.0 

$64.0 

Electronic  Wage  Reporting  System 

$9.0 

$62.0 

Integrated  Human  Resource  System 2 

$3.0 

$25.0 

Security  Infrastructure  and  Operations  Support 

$3.0 

$40.0 

TOTAL 

$120.0 

$745.0 

’Lifc-cycic  costs  consist  of  both  information  technology  and  SSA  workycar  costs  and  include  actuals  and  estimates  through  fiscal  year  2006 
(consistent  with  Office  of  Management  and  Budget  Exhibits  300B).  Estimates  for  fiscal  year  2003  and  beyond  arc  being  reformulated  as  part 
of  the  fiscal  year  2003  budget  process. 

2ln  its  agency  comments.  SSA  stated  that  this  project  has  been  terminated. 
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Overview  of  selected  systems  initiatives: 


•Financial  Accounting  System  (FACTS) 

•  Planned  to  provide  a  comprehensive  financial  accounting  system  to  replace  accounts 
payable,  accounts  receivable,  core  accounting  and  reporting  systems  currently  in  use 

•  Part  of  a  larger  initiative  to  modernize  SSA’s  financial  and  administrative  processes  and 
systems 

•  Supports  compliance  with  new  regulatory  and  federal  financial  accounting  standards 

•  Expected  to  be  implemented  in  October  2002 

•Integrated  Human  Resources  System  (IHRS) 

•  Planned  to  provide  integrated,  automated  support  for  all  human  resource  workloads, 
including  timely  and  accurate  human  resource  information 

•  Project  recently  placed  on  hold  due  to  higher  than  estimated  costs  and  pilot  studies 
showing  users’  dissatisfaction  with  the  software 

•  SSA  is  currently  evaluating  IHRS  to  determine  whether  to  continue  the  project 
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IT  Profile 

IT  Environment  (continued) 


Overview  of  selected  systems  initiatives  (continued): 

•Electronic  Disability  System  (eDIB) 

•  Planned  to  provide  SSA  with  a  fully  electronic,  reengineered  disability  claims  process 
that  eliminates  the  use  of  paper  files 

•  Part  of  a  larger,  ongoing  effort  to  improve  SSA’s  administration  of  the  disability 
program 

•  Consists  of  four  strategic  system  objectives 

•  Develop  an  electronic  folder 

•  Leverage  legacy  system  investments 

•  Automate  the  claims  intake  process 

•  Automate  the  hearings  and  appeals  process 

•  Expected  to  be  completed  by  the  end  of  2005 
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IT  Profile 

IT  Roles  and  Responsibilities 


SSA’s  Chief  Information  Officer  (CIO)  is  responsible  for  ensuring  that  IT  is  acquired  and 
managed  in  accordance  with  agency  priorities  and  the  Clinger-Cohen  Act  and  makes  final 
selection  and  funding  decisions  on  IT  projects. 


SSA’s  Deputy  Commissioner  for  Systems  (DCS)  has  overall  responsibility  for  all  aspects  of  the 
agency’s  systems  activities,  including  planning,  configuration  management,  database 
management,  data  administration,  software  and  hardware  acquisition  and  development,  and 
software  and  hardware  acquisition  policies,  procedures,  and  activities. 


•  Four  Associate  Commissioners  and  an  Office  Director  support  the  DCS: 

•  Associate  Commissioner,  Office  of  Telecommunications  and  Systems  Operations, 

•  Associate  Commissioner,  Office  of  Systems  Design  and  Development, 

•  Associate  Commissioner,  Office  of  Systems  Requirements, 

•  Associate  Commissioner,  Office  of  Information  Management,  and 

•  Director,  Office  of  Systems  Planning  and  Integration. 

•  On  February  16,  2001,  SSA  established  the  Office  of  Systems  Electronic  Services,  under 
the  DCS,  to  direct  the  development  of  agencywide  mission-critical  software  applications 
that  support  electronic  service  delivery  initiatives. 
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In  early  2001,  SSA  reported 

•  2,813  positions  in  DCS’s  workforce: 

•  2,027  Computer  Specialists 

•  2  Computer  Scientists 

•  784  other  IT  and  non-IT  staff  (e.g.,  Computer  Clerk  Assistants  and 
Social  Insurance  Administrators) 

•  2,306  positions  in  DCF  AM’s  workforce: 

•  86  Computer  Specialists 

•  2,220  non-IT  staff  (e.g.,  Social  Insurance  Specialists  and 
Management  Analysts) 
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To  evaluate  IT  management,  we  focused  on  five  key  areas  that  encompass  major  IT 
functions  and  are  recognized  by  the  industry  as  having  substantial  influence  over  the 
effectiveness  of  operations: 


•  IT  investment  management  has  three  essential  phases— project  selection,  control,  and 
evaluation-each  supported  by  critical  organizational  processes.  We  recently  issued  a 
common  framework  for  assessing  federal  agencies’  IT  investment  management  practices.3 
This  framework  takes  the  organizational  processes  supporting  selection,  control,  and 
evaluation  efforts,  and  extends  them  into  a  growth  and  maturity  framework.  The 
framework’s  five  maturity  stages  represent  steps  toward  achieving  a  stable  and  mature  IT 
investment  process.  By  determining  the  current  stage  of  maturity  of  an  organization, 
managers  are  better  able  to  identify  specific  steps  that  would  contribute  to  improving  IT 
management  performance. 

•  Enterprise  architecture  helps  align  the  requirements  for  agency-sponsored  information 
systems  with  the  processes  that  support  the  agency’s  mission  and  goals,  achieve 
interoperability  and  security  of  information  systems,  and  promote  the  application  and 
maintenance  of  standards  by  which  the  agency  evaluates  and  acquires  systems.  The 
information  architecture  has  operational,  systems,  and  technical  components  that  delineate 
the  business  processes,  information  flows  and  relationships,  systems,  technology 
infrastructure,  and  standards.  To  implement  and  maintain  the  architecture,  an  agency 
should  have  processes  for  change  management  and  legacy  systems  integration. 


*  Information  Technology  Investment  Management:  A  Framework  for  Assessing  and  Improving  Process  Maturity ,  Exposure  Draft  (GAO/A1MD- 
10. 1.23,  May  2000).  This  guide  builds  upon  the  investment  management  guidance  provided  in  our  prior  guide.  Assessing  Risks  and  Returns:  A 
Guide  for  Evaluating  Federal  Agencies  ’  IT  Investment  Decision-making  (GAO/AIMD- 1 0. 1 . 1 3.  February  1 997). 
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•  Software  acquisition  and  development  activities  help  produce  information  systems  within 
the  cost,  budget,  and  schedule  goals  set  by  the  investment  management  process,  while 
complying  with  the  guidance  and  standards  of  the  information  architecture.  Key  processes 
for  software  acquisition  are  acquisition  planning,  solicitation,  contract  tracking  and 
oversight,  evaluation,  transition  to  support,  and  acquisition  risk  management.  Key  processes 
for  software  development  include  requirements  management,  project  planning,  project 
tracking  and  oversight,  quality  assurance,  and  configuration  management. 

•  Information  security  helps  protect  the  integrity,  confidentiality,  and  availability  of  the 
agency’s  data  and  systems  it  relies  on  by  reducing  the  risks  of  tampering,  unauthorized 
intrusions  and  disclosures,  and  serious  disruptions  of  operations.  Information  security 
activities  include  conducting  risk  assessments,  promoting  awareness,  implementing  controls, 
performing  evaluations,  and  providing  centralized  coordination  and  oversight  of  all  security 
activities. 

•  IT  human  capital  management  helps  provide  employees  with  the  appropriate  knowledge 
and  skills  to  effectively  execute  critical  IT  functions.  Key  processes  for  human  capital 
management  involve  assessing  IT  knowledge  and  skills  requirements,  inventorying  existing 
staffs  knowledge  and  skills  and  assessing  them  against  requirements,  developing  strategies 
and  plans  to  fill  the  gap  between  requirements  and  existing  staffing,  and  evaluating  and 
reporting  on  progress  in  filling  the  gap  in  knowledge  and  skills. 
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GAO 

Accountability*  Integrity  »  Reliability 


IT  Policies,  Procedures,  and  Practices 

Evaluation  Indicators 


In  evaluating  the  five  key  IT  areas  at  SSA,  we  assessed  applicable  policies,  procedures,  and 
practices.  We  use  three  broad  indicators  to  depict  our  results: 


Blank  circle  indicates  that  policies  and  procedures  do  not  exist  or  are 
substantially  obsolete  or  incomplete;  and  practices  are  not  performed  or  are 
predominantly  ad  hoc. 


Grid  circle  indicates  that  policies  or  procedures  facilitate  key  functions;  and 
selected  key  practices  have  been  implemented. 


Solid  circle  indicates  that  policies  and  procedures  are  current  and 
comprehensive  for  key  functions;  and  practices  adhere  to  policies,  procedures, 
and  generally  accepted  standards. 


For  each  of  the  five  key  IT  areas  reviewed,  we  selected  indicators  based  on  our  judgment  on 
the  current  state  of  SSA  policies,  procedures,  and  practices.  There  is  no  basis  to  judge  how 
SSA  is  performing  in  relation  to  other  agencies  because  we  have  evaluated  only  two  other 
agencies  using  this  approach,  and  we  continue  to  refine  our  approach  and  the  elements  we 
assess. 
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GAO 

Accountability  *  Integrity  *  Reliability 


IT  Policies,  Procedures,  and  Practices 

Evaluation  Summary 


Risk  assessment 

© 

Awareness 

• 

Information  system  controls 

o 

•c 

3 

Physical  security  controls 

• 

C/1 

Network  access  controls 

© 

Evaluation 

© 

Central  management 

© 

_ 

Requirements 

© 

'5. 

C 

Inventory 

O 

c 

1 

Workforce  strategies  and  plans 

® 

£ 

Progress  evaluation 

Enterprise  Architecture 

Operational  component 

• 

Systems  component 

© 

Technical  component 

© 

Change  management 

© 

Legacy  systems  integration 

© 

Software  Development 

Requirements  management 

© 

Software  project  planning 

© 

Software  project  tracking  and  oversight 

© 

Software  quality  assurance 

© 

Software  configuration  management 

© 

Investment  Management 

IT  investment  board  operation 

IT  project  oversight 

© 

IT  asset  tracking 

© 

Business  needs  identification  for 

IT  projects 

• 

IT  proposal  selection 

o 

Portfolio  selection  criteria  definition 

O 

Investment  analysis 

© 

Portfolio  development 

© 

Portfolio  performance  oversight 

Post-implementation  reviews  and 
feedback 

o 

Portfolio  performance  evaluation 
and  improvement 

o 

Systems  and  technology  succession 
mana  cement 

® 

Investment  process  benchmarking 

o 

IT-drivcn  strategic  business  change 

@ 

O  Incomplete  or  obsolete  Policies  or  procedures  for  key  functions;  Comprehensive,  current  polices  and  procedures; 

policies  and  procedures;  ad-  K&X)  selected  key  practices  practices  adhere  to  policies,  procedures,  and 

hoc  practices  generally  accepted  standards 
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ML 


GAO 

Accountability  *  integrity  *  Reliability 


IT  Policies,  Procedures,  and  Practices 

IT  Investment  Management  --  Overview 


IT  investment  management  provides  a  framework  for  implementing  the  processes  that  are 
critical  to  the  effective  selection,  control,  and  evaluation  of  a  portfolio  of  IT  investments. 
The  maturity  stages,  listed  below,  represent  steps  toward  achieving  a  stable  and  mature  IT 
investment  management  process. 


Maturity  Stages 


Xu 


Stage  5 
Leveraging  IT 
for  Strategic 
Outcomes 


Stage  4 
Improving  the 
Investment 
Process 


Stage  3 
Developing 
a  Complete 
Investment  Portfolio 


Stage  2 
Building  the 
Investment 
Foundation 


Stage  I 

Creating 

Investment 

Awareness 


Critical  Processes 


•  Investment  Process  Benchmarking 

•  IT-Driven  Strategic  Business  Change 


•  Post-Implementation  Reviews  and  Feedback 

•  Portfolio  Performance  Evaluation  and  Improvement 

•  Systems  and  Technology  Succession  Management 


•  Authority  Alignment  of  IT  Investment  Boards 

•  Portfolio  Selection  Criteria  Definition 

•  Investment  Analysis 

■  Portfolio  Development 

•  Portfolio  Performance  Oversight 


»  IT  Investment  Board  Operation 

►  IT  Project  Oversight 
i  IT  Asset  Tracking 

»  Business  Needs  Identification  for  IT  Projects 

►  Proposal  Selection 


IT  Spending  without  Disciplined  Investment 
Processes 


Source:  Information  Technology 
Investment  Management, 


Ci  AO/A  I MD- 1 0.1.23. 
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IT  Policies,  Procedures,  and  Practices 

IT  Investment  Management  —  Overview  (continued) 

Accountability  *  Integrity  ♦  Reliability 

Descriptions  of  Critical  Processes: 

STAGE  1 

•  IT  Spending  without  Disciplined  Investment  Processes--there  are  no  critical  processes  associated  with 
this  stage 

STAGE  2 

•  IT  Investment  Board  Operation-creates  and  defines  one  or  more  IT  investment  boards  within  the 
organization,  and  operates  these  boards  according  to  written  policies  and  procedures. 

•  IT  Project  Oversight— the  organization  monitors  all  projects  relative  to  cost  and  schedule  expectations, 
and  takes  corrective  action  when  milestones  are  not  achieved. 

•  IT  Asset  Tracking— creates  and  maintains  an  IT  inventory  according  to  written  procedures,  in  order  to 
assist  in  managerial  decisionmaking. 

•  Business  Needs  Identification  for  IT  Projects-ensures  that  each  IT  project  supports  the  organization’s 
business  needs  and  meets  users’  needs.  It  involves  identifying  business  needs  and  users  for  each  IT  project 
and  having  users  participate  in  project  management  throughout  the  project’s  life  cycle. 

•  Proposal  Selection-ensures  that  a  predefined,  structured  process  is  used  to  select  new  IT  proposals. 


GAO 
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IT  Policies,  Procedures,  and  Practices 

IT  Investment  Management  --  Overview  (continued) 

Accountability  *  Integrity  ♦  Reliability _ 

Descriptions  of  Critical  Processes  (continued) 

STAGE  3 

•  Authority  Alignment  of  IT  Investment  Boards— coordinates  the  responsibilities  and  activities  of  the 
IT  investment  boards  when  an  organization  uses  multiple  boards. 

•  Portfolio  Selection  Criteria  Definition— creates  and  communicates  the  criteria  used  by  decisionmakers 
to  select  and  fund  IT  investments  to  the  organization. 

•  Investment  Analysis-examines  the  fundamental  cost,  benefit,  schedule,  and  risk  characteristics  of  each 
IT  investment  before  it  is  funded  and  combined  with  other  investments  into  a  portfolio.  It  involves 
validating  data  associated  with  individual  investments,  then  assessing  and  prioritizing  these  investments 
within  the  complete  portfolio. 

•  Portfolio  Development— compares  worthwhile  investments  and  then  combines  selected  investments 
into  a  funded  portfolio.  It  involves  examining  all  investments  and  making  selections  for  funding  and 
then  establishing  expectations  for  each  investment. 

•  Portfolio  Performance  Oversight— involves  monitoring  the  performance  of  each  investment  in  the 
portfolio.  This  process  builds  upon  the  Stage  2  IT  project  oversight  process  by  adding  the  elements  of 
investment  benefit  and  risk  management  to  the  control  process  activities. 
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IT  Policies,  Procedures,  and  Practices 

IT  Investment  Management  -  Overview  (continued) 

Accountability*  Integrity  *  Reliability 

Descriptions  of  Critical  Processes  (continued) 

STAGE  4 

•  Post-Implementation  Reviews  and  Fcedback-learns  from  past  investments  and  initiatives  by 
comparing  actual  results  with  estimates. 

•  Portfolio  Performance  Evaluation  and  Improvement— evaluates  portfolio  performance  and  uses 
this  information  to  improve  both  current  IT  investment  processes  and  Mure  investment  portfolio 
performance. 

•  Systems  and  Technology  Succession  Managemcnt-analyzes  and  manages  the  succession  of 
identified  IT  investments  and  assets  to  their  higher-value  successors. 

STAGE  5 

•  Investment  Process  Benchmarking-identifies  and  implements  measurable  improvements  in  IT 
investment  management  processes  so  that  the  processes  meet  or  exceed  those  used  by  best-in-class 
organizations. 

•  IT-Driven  Strategic  Business  Change-uses  information  technology  to  strategically  renovate  and 
transform  work  processes  and  push  the  organization  to  explore  new  and  better  ways  to  execute  its 
mission. 
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GAO 

Accountability  *  Integrity  *  Reliability 


IT  Policies,  Procedures,  and  Practices 

IT  Investment  Management  —  Review 


We  evaluated  SSA  IT  investment  management  using  the  Clinger-Cohen  Act,  OMB’ s  Capital 
Programming  Guide,  and  GAO’s  guide,  Information  Technology  Investment  Management:  A 
Framework  for  Assessing  and  Improving  Process  Maturity. 


We  reviewed  IT  investment  management  practices  for  the  current  SSA  investment  portfolio.  We 
also  evaluated  the  investment  processes  used  on  the  Integrated  Human  Resources  System  project 
and  the  Financial  Accounting  System  Replacement  project,  each  classified  as  Customer  Targeted 
Work,  the  agency’s  highest  priority  category  of  projects  in  development. 


We  assessed  applicable  SSA  investment  processes  at  maturity  stages  2  through  5.4  We  did  not 
evaluate  maturity  stage  1  because  it  is  categorized  by  a  lack  of  processes. 


4Because  SSA  has  only  one  investment  hoard,  the  Stage  3  critical  process  involving  authority  alignment  oflT  investment  boards  was  not 
applicable,  and  thus,  was  not  assessed. 
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^  G  AO 

Accountability  *  Integrity  »  Reliability 


IT  Policies,  Procedures,  and  Practices 

IT  Investment  Management  --  Evaluation 


Activity 
(Critical  process) 


IT  investment 
board  operation 


r  \  Mt.  • 


Assessment 


Comments 


SSA’s  Executive  Staff  (Deputy  Commissioners  and  above)  serves 
as  the  Investment  Board.  Membership  incorporates  both  IT  and 
business  knowledge.  The  Staff  meets  at  least  annually  to  provide 
input  to  the  CIO  on  selection  decisions  and  quarterly  to  provide 
oversight  on  Customer  Targeted  Work  (CTW)  projects,  SSA’s 
highest-priority  projects.  However,  there  are  no  written  procedures 
outlining  key  criteria  used  by  the  Executive  Staff  to  ensure 
consistent  investment  management  and  decision-making  practices. 


IT  project 
oversight 


The  Executive  Staff  oversees  CTW  projects  through  quarterly 
meetings  where  project  status  is  reviewed.  In  addition,  the  CIO 
conducts  1)  periodic  investment  reviews  of  selected  higher-risk 
projects  where  up-to-date  cost  information  is  presented  and  2) 
special  reviews  of  under-performing  projects.  Although  non-CTW 
projects  (that  is,  lower  priority  projects)  are  overseen  by  senior 
staff  at  the  Associate  Commissioner  level,  they  receive  no  regular 
oversight  by  the  Executive  Staff. 


O  Incomplete  or  obsolete  Policies  or  procedures  for  key  functions; 

policies  and  procedures;  ad-  selected  key  practices 

hoc  practices 


Comprehensive,  current  policies  and  procedures; 
practices  adhere  to  policies,  procedures,  and 
generally  accepted  standards 
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,4  GAO 

Accountability  ♦  Integrity  »  Reliability 


IT  Policies,  Procedures,  and  Practices 

IT  Investment  Management  —  Evaluation  (continued) 


Activity 
(Critical  process) 


Assessment 


Comments 


IT  asset  tracking 


A  number  of  organizations  within  SSA  capture  and  maintain  a 
variety  of  IT  asset  information  (including  hardware,  software, 
personnel,  and  resources  expended)  in  various  databases  and 
locations.  Although  IT  asset  information  can  be  compiled  from 
various  sources,  the  agency  does  not  have  a  comprehensive  and 
consistent  inventory  of  IT  asset  information  that  is  readily  available 
to  assist  senior  managers  in  making  more  informed  investment 
management  decisions.  Comprehensive  IT  asset  information  is 
useful  in  avoiding  duplication  of  effort  and  understanding  the  cost 
effectiveness,  benefits,  and  risks  of  different  investments. 


Business  needs 
identification  for 
IT  projects 


Business  needs  and  users  are  clearly  identified  for  IT  projects. 
Projects  supporting  key  initiatives  can  be  traced  to  strategic 
objectives.  Identified  users  participate  in  project  management 
during  projects’  life  cycles. 


O  Incomplete  or  obsolete  kSoA  Policies  or  procedures  for  key  functions: 

policies  and  procedures;  ad-  selected  key  practices 

hoc  practices 


Comprehensive,  current  policies  and  procedures; 
practices  adhere  to  policies,  procedures,  and 
generally  accepted  standards 
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A  GAO 

WBOm—m  Accountability  ♦  Integrity  ♦  Reliability 


IT  Policies,  Procedures,  and  Practices 

IT  Investment  Management  —  Evaluation  (continued) 


Activity7 

(Critical  process) 


Assessment 


Proposal  selection 


Portfolio  selection 
criteria  definition 


Comments 

SSA  uses  a  structured  process  to  solicit  new  IT  proposals. 

Resource  proposals  are  prioritized  into  several  tiers  by  the  Office 
of  Systems  during  the  annual  budget  development  process, 
reviewed  by  the  Information  Technology  Systems  Review  Staff 
(ITSRS),  and  presented  to  the  CIO  with  funding  recommendations. 
The  CIO  makes  funding  decisions  based  on  ITSRS 
recommendations  and  input  from  the  Executive  Staff.  Although 
SSA  reports  that  the  prioritization  and  selection  of  proposals  are 
based  on  agency  priorities,  no  explicit,  established  cost,  schedule, 
benefit,  or  risk  criteria  exist  or  are  used  for  these  decisions.  In 
addition,  development  projects  which  expend  only  in-house  salary 
funds  are  not  reviewed  by  ITSRS. 

The  Executive  Staff  develops  high-level  criteria  that  are  used  for 
selecting  IT  investments.  Criteria  include  the  Agency  Strategic 
Plan,  the  Performance  Plan,  programs  for  objective  achievement, 
key  initiatives,  and  the  5-Year  Systems  Plan.  Criteria  are  regularly 
modified,  updated,  and  distributed.  However,  these  high-level 
selection  criteria  do  not  include  explicit  cost,  schedule,  benefit,  or 
risk  criteria— considerations  that  would  be  helpful  in  making 
tradeoffs  among  investments  competing  for  limited  resources. 


O  Incomplete  or  obsolete  /kV>A  P°l'c'cs  or  procedures  for  key  functions; 

policies  and  procedures;  ad-  selected  key  practices 

hoc  practices 


Comprehensive,  current  policies  and  procedures; 
practices  adhere  to  policies,  procedures,  and 
generally  accepted  standards 
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-GAO 

Accountability  *  Integrity  *  Reliability 


IT  Policies,  Procedures,  and  Practices 

IT  Investment  Management  —  Evaluation  (continued) 


Activity 
(Critical  process) 


Assessment 


Investment 

analysis 


Comments 

IT  investments  in  all  life-cycle  phases  are  prioritized  into  three  tiers 
by  the  Office  of  Systems.  ITSRS  conducts  annual  reviews  of  these 
investments  and  makes  funding  recommendations  to  the  CIO. 
However,  the  lack  of  explicit,  established  cost,  schedule,  benefit, 
and  especially  risk  criteria  hinders  the  agency’s  ability  to 
consistently  and  objectively  analyze  and  prioritize  its  investments. 
In  addition,  developmental  projects  that  expend  only  in-house 
salary  funds  are  not  reviewed  by  ITSRS. 


Portfolio 

development 


The  CIO,  with  input  from  the  Executive  Staff,  examines  and  makes 
funding  decisions  on  IT  investments.  These  investments  are 
categorized  into  three  tiers  in  the  annual  IT  budget  and  documented 
in  the  5-Year  Systems  Plan  for  each  of  SSA’s  major  work  areas. 
SSA  reported  that  the  5- Year  Systems  Plan  is  periodically 
reviewed  to  ensure  the  appropriate  allocation  of  IT  resources.  Cost 
and  schedule  expectations  are  set  annually  for  higher-priority 
investments.  However,  SSA  does  not  have  a  comprehensive  IT 
investment  portfolio  that  includes  all  IT  investments  (including 
developmental  and  operational  projects  and  systems)  regardless  of 
the  funding  source.  In  addition,  annual  benefit  and  risk 
expectations  are  not  set  or  approved  by  the  CIO  or  Executive  Staff. 


Incomplete  or  obsolete 
policies  and  procedures; 
hoc  practices 


*>q  Policies  or  procedures  for  key  functions; 
X/  selected  key  practices 


Comprehensive,  current  policies  and  procedures;  ^  a 
practices  adhere  to  policies,  procedures,  and 
generally  accepted  standards 
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f.  GAO 

Accountability  ♦  Integrity  ♦  Reliability 


IT  Policies,  Procedures,  and  Practices 

IT  Investment  Management  —  Evaluation  (continued) 


Activity 

(Critical  process) 


Portfolio 

performance 

oversight 


Assessment 


Comments 


The  Executive  Staff  oversees  CTW  projects  through  quarterly 
meetings  where  project  status  is  reviewed.  In  addition,  the  CIO 
conducts  1)  periodic  investment  reviews  of  selected  higher-risk 
projects  where  up-to-date  cost  information  is  presented  and  2) 
special  reviews  of  under-performing  projects.  However,  annual 
benefit  expectations  are  neither  set  nor  tracked  to  determine 
whether  expected  benefits  have  been  realized  or  acceptable 
progress  achieved.  Although  projects  below  the  CTW  level  are 
overseen  by  senior  staff  at  the  Associate  Commissioner  level,  they 
receive  no  regular  oversight  by  the  Executive  Staff. 


Post¬ 
implementation 
reviews  and 
feedback 


According  to  SSA  policy,  the  CIO  designates  in  advance  which 
projects  will  receive  a  post-implementation  review  (PIR)  upon 
completion.  To  date,  SSA  has  completed  one  PIR  and  another  is 
underway.  Of  over  30  CTW  projects  in  development,  only  one  has 
been  designated  to  receive  a  PIR.  In  addition,  there  are  no  criteria 
for  designating  projects  for  PIRs  or  written  procedures  for 
conducting  PIRs. 


O  Incomplete  or  obsolete  P°*'c‘cs  or  procedures  for  key  functions; 

policies  and  procedures;  ad-  selected  key  practices 

hoc  practices 


Comprehensive,  current  policies  and  procedures; 
practices  adhere  to  policies,  procedures,  and 
generally  accepted  standards 
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^  GAO 

Accountability  »  Integrity  *  Reliability 


IT  Policies,  Procedures,  and  Practices 

IT  Investment  Management  —  Evaluation  (continued) 


Activity 
(Critical  process) 


Portfolio 
performance 
evaluation  and 
improvement 


Assessment 


Comments 


SSA  has  various  efforts  underway  to  develop  and  improve  both  its 
IT  portfolio  and  investment  processes.  These  include  efforts  to 
estimate  retum-on-investment,  define  life  cycles,  prioritize 
investments,  establish  measurable  goals,  and  better  manage 
projects.  However,  overall  IT  portfolio  performance  is  not 
evaluated.  The  absence  of  aggregate  investment  portfolio 
performance  measures  (for  example,  a  balanced  scorecard  that 
measures  strategic  achievement,  customer  satisfaction,  business 
performance,  and  IT  innovation)  hinders  SSA’s  ability  to  evaluate 
and  improve  its  IT  portfolio  to  better  serve  the  needs  of  the  entire 
organization. 


Systems  and 
technology 
succession 
management 


SSA  reported  that  succession  management  processes  are  performed 
as  part  of  various  IT  management  processes.  These  include  the 
monitoring  of  investments  for  cost  effectiveness,  utilization, 
capacity,  and  other  performance  factors,  as  well  as  periodic  review 
and  update  of  the  5-Year  Systems  Plan.  However,  no  procedures 
or  criteria  were  developed  for  identifying  succession  candidates 
and  periodically  evaluating  the  viability  of  ongoing  investments. 


O  Incomplete  or  obsolete  R/vm  ^°^c*cs  or  procedures  for  key  functions; 

policies  and  procedures;  ad-  selected  key  practices 

hoc  practices 


Comprehensive,  current  policies  and  procedures; 
practices  adhere  to  policies,  procedures,  and 
generally  accepted  standards 
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Accountability  *  Integrity  *  Reliability 


IT  Policies,  Procedures,  and  Practices 

IT  Investment  Management  --  Evaluation  (continued) 


/:  '  '  :::r  §r 

Activity 
(Critical  process) 


Investment 

process 

benchmarking 


Assessment  Comments 

SSA  reported  that  it  reviews  other  agencies’  and  organizations’ 
investment  processes  and  management  tools  to  identify  and 
implement  improvements  to  its  own  processes.  However,  SSA  has 
no  benchmarking  policy  or  procedures  and  has  not  conducted 
process  benchmarking  activities  that  would  include  measuring 
internal  process  baselines,  benchmarking  the  processes  of  best-in¬ 
class  organizations,  and  making  improvements  based  on  the 
analyses. 


IT-driven 
strategic  business 
change 


In  December  2000,  SSA  opened  the  Electronic  Technology  Center 
to  research,  test,  evaluate,  and  implement  new  technologies  that 
will  strategically  enhance  the  agency’s  ability  to  conduct  business. 
Other  groups  within  SSA  forecast  future  technologies  and  explore 
potential  applications.  Although  the  Electronic  Technology  Center 
is  evaluating  a  number  of  business-enhancing  technologies,  these 
have  not  yet  been  implemented  for  strategic  changes  to  business 
processes  or  captured  in  a  knowledge  base. 


O  Incomplete  or  obsolete  Policies  or  procedures  for  key  functions; 

policies  and  procedures;  ad-  'Q&y  selected  key  practices 
hoc  practices 


Comprehensive,  current  policies  and  procedures;  r\ 
practices  adhere  to  policies,  procedures,  and  ^  ' 

generally  accepted  standards 
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Accountability*  Integrity  ♦  Reliability 


IT  Policies,  Procedures,  and  Practices 

Impact  of  IT  Investment  Management  Weaknesses 


•  IT  Investment  Board  Operation: 

Without  written  procedures  for  IT  investment  management,  SSA  lacks  assurance  that  the 
Executive  Staff  is  providing  investment  management  oversight  and  decisionmaking  in  a 
repeatable  and  consistent  mamier. 


•  IT  Project  Oversight: 

Without  Executive  Staff  oversight  of  non-CTW  projects’  progress  toward  meeting  cost  and 
schedule  expectations,  SSA  management  lacks  assurance  that  these  projects  are  under  control 
and  being  developed  on  time,  within  budget,  and  according  to  requirements. 


•  IT  Asset  Tracking: 

Without  up-to-date  information  on  a  comprehensive  inventory  of  IT  assets,  SSA  lacks 
assurance  that  decisionmakers  have  the  information  they  need  to  effectively  manage  IT 
investments.  An  IT  asset  inventory— including  projects  and  systems,  associated  hardware, 
software,  licenses,  location,  ownership,  personnel,  costs,  and  schedule  data— provides 
fundamental  information  that  executives  should  have  at  their  disposal  when  making 
investment  decisions.  This  information  enables  executives  to  better  manage  the  allocation  of 
resources  among  systems  and  programs. 
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IT  Policies,  Procedures,  and  Practices 

Impact  of  IT  Investment  Management  Weaknesses  (continued) 


•  Proposal  Selection: 

Without  predefined,  explicit  selection  criteria,  SSA  lacks  assurance  that  proposals  are 
objectively  assessed  and  prioritized,  informed  proposal  tradeoffs  are  made,  and  the 
appropriate  projects  are  selected. 

•  Portfolio  Selection  Criteria  Definition: 

Without  portfolio  selection  criteria  that  explicitly  address  costs,  benefits,  schedule,  and  risks, 
SSA  lacks  assurance  that  decisionmakers  have  the  necessary  tools  for  selecting  an  IT 
investment  portfolio  that  optimally  supports  the  agency’s  mission  and  strategic  goals. 
Although  appropriate  investments  may  be  selected  based  on  individual  merit,  without 
predefined  selection  criteria,  the  cumulative  effect  of  the  selection  decisions  may  result  in  an 
investment  portfolio  that  provides  less-than-optimal  support  of  the  agency  mission. 

•  Investment  Analysis: 

Without  analyzing  and  validating  the  costs,  benefits,  schedules,  and  risks  of  all 
developmental  and  operational  IT  investments,  SSA  cannot  be  certain  that  it  is  selecting  and 
funding  the  IT  investments  that  will  best  result  in  cost-effective  solutions  that  are  focused  on 
measurable  and  specific  program-  or  mission-related  benefits  (time,  cost,  performance, 
quality,  customer  satisfaction,  etc.). 
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IT  Policies,  Procedures,  and  Practices 

Impact  of  IT  Investment  Management  Weaknesses  (continued) 


•  Portfolio  Development: 

Without  a  comprehensive  IT  investment  portfolio  that  contains  detailed  and  summary 
information  on  all  IT  investments— including  cost,  benefit,  schedule,  and  risk  data— SSA  lacks 
assurance  that  an  optimal  investment  portfolio  with  manageable  risks  and  returns  is  being 
selected. 

•  Portfolio  Performance  Oversight: 

Because  the  Executive  Staff  does  not  oversee  the  performance  of  all  IT  investments,  SSA  lacks 
assurance  that  its  portfolio  is  achieving  cost,  benefit,  schedule,  and  risk  expectations. 


•  Post-Implementation  Reviews  and  Feedback 

Without  evaluating  IT  investments  after  they  have  been  implemented  and  without  written 
policies  and  procedures  for  performing  the  reviews,  SSA  lacks  information  on  whether 
investments  have  met  intended  objectives— e.g.,  costs,  benefits,  customer  satisfaction,  mission 
impact,  and  technical  capability-and  whether  improvements  are  needed  in  the  investment 
management  process. 
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IT  Policies,  Procedures,  and  Practices 

Impact  of  IT  Investment  Management  Weaknesses  (continued) 


•  Portfolio  Performance  Evaluation  and  Improvement: 

Without  collecting  and  analyzing  aggregate  portfolio  performance  data,  SSA  lacks  the  ability 
to  evaluate  the  portfolio’s  performance  and  make  recommendations  to  improve  the  portfolio 
and  the  investment  management  process. 

•  Systems  and  Technology  Succession  Management: 

Without  policies  and  procedures  for  uniformly  evaluating  IT  investments  in  operation,  SSA 
may  not  be  adequately  planning  and  managing  the  migration  of  high-cost,  low-value 
investments  to  appropriate  successors. 


•  Investment  Process  Benchmarking: 

Without  benchmarking  the  investment  management  processes  of  best-in-class  organizations, 
SSA  lacks  the  ability  to  identify  and  implement  measurable  improvements  to  its  own 
processes  to  meet  or  exceed  those  used  by  best-in-class  organizations. 

•  IT-Driven  Strategic  Business  Change: 

Until  SSA  begins  to  implement  business-enhancing  technologies  in  a  proactive  and 
continuous  manner,  the  agency  may  fall  short  of  its  potential  to  dramatically  improve 
business  processes  and  outcomes. 
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IT  Investment  Management 

Suggested  Areas  for  Improvement 


SSA  should: 

•  Develop  and  implement  a  process  guide  that  establishes  the  policies,  procedures,  and 
key  criteria  for  conducting  the  IT  investment  management  process  and  guiding 
Executive  Staff  operations. 


•  Develop  and  maintain  selection  criteria  that  include  explicit  cost,  benefit,  schedule,  and 
risk  criteria  to  facilitate  the  objective  analysis,  comparison,  prioritization,  and  selection 
of  IT  investments. 


•  Analyze  and  prioritize  all  IT  investments  based  on  the  predefined  selection  criteria  and 
make  selection  decisions  according  to  the  established  process. 

•  Establish  and  annually  review  cost,  benefit,  schedule,  and  risk  life  cycle  expectations 
for  each  selected  investment. 
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IT  Investment  Management 

Suggested  Areas  for  Improvement  (continued) 


•  Revise  the  IT  oversight  process  so  that  the  Executive  Staff  oversees  the  comparison  of 
actual  cost,  benefit,  schedule,  and  risk  data  to  original  estimates  for  all  investments  to 
determine  whether  they  are  proceeding  as  expected  and  to  take  corrective  actions  as 
appropriate. 


•  Regularly  perform  post-implementation  reviews  of  IT  investments  and  develop  lessons 
learned  from  the  process. 


•  Develop,  manage,  and  regularly  evaluate  the  performance  of  a  comprehensive  IT 
investment  portfolio  containing  detailed  and  summary  information  (including  data  on 
costs,  benefits,  schedules,  and  risks)  for  all  IT  investments. 

•  Implement  investment  process  benchmarking  so  that  measurable  improvements  may  be 
made  to  agency  IT  investment  management  processes  based  on  those  used  by  best-in- 
class  organizations. 
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IT  Investment  Management 

Plans  to  Address  IT  Investment  Management  Weaknesses 


Following  our  assessment,  SSA  officials  stated  that,  during  the  upcoming  fiscal  year, 
the  agency  will 


•  explore  risk  modeling  procedures  for  proposed  IT  projects  to  eventually  develop  a 
comprehensive  risk  assessment  and  management  strategy, 

•  adopt  management  and  decision  support  tools  for  the  agency’s  capital  planning 
and  investment  control  process, 

•  document  post-implementation  review  policies  and  procedures  and  select 
additional  projects  for  post-implementation  reviews, 

•  continue  return-on-investment  training  and  estimation  on  IT  projects  to  provide 
better  information  for  investment  decisions, 

•  refine  the  capital  planning  and  investment  control  process  based  on  the 
experiences  and  practices  of  other  agencies, 
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IT  Investment  Management 

Plans  to  Address  IT  Investment  Management  Weaknesses  (continued) 


•  assess  the  capital  planning  and  investment  control  process  for  possible  changes 
based  on  input  from  the  new  administration,  and 

•  review  significant  deviations  in  non-CTW  projects. 
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IT  Policies,  Procedures,  and  Practices 

Enterprise  Architecture  --  Overview 


An  enterprise  architecture  serves  as  a  blueprint  to  guide  and  constrain  the 
development  and  evolution  of  a  collection  of  related  information  systems. 

Three  typical  components  of  an  enterprise  architecture  are: 


•  Operational  component-describes  the  operational  elements  (business 
functions),  assigned  tasks  and  activities,  and  information  flows  required  to 
support  an  operation 


•  Systems  component-describes  and  graphically  depicts  how  multiple 
systems  link  and  interoperate  to  support  an  operation,  and  may  describe  the 
internal  construction  and  operation  of  individual  systems  within  the 
architecture 


•  Technical  component-provides  the  technical  system  implementation 
guidelines  upon  which  engineering  specifications  are  based  and  common 
building  blocks  are  established,  and  provides  a  set  of  tools  that  facilitate 
integration  of  legacy  and  new  systems 
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OMB  guidelines  require  agencies  to  include  certain  key  elements  in  their  enterprise 
architectures.  These  elements  can  be  generally  grouped  into  the  three  component 
categories  as  follows: 

Operational  component 

•  Business  or  operational  processes 

•  Information  flows  and  relationships  in  those  processes 

Systems  component 

•  Activities  or  systems  that  capture,  manipulate,  and  manage  the  information  to 
support  operations 

•  Data  descriptions  and  relationships  and  how  data  are  maintained,  accessed,  and 
used 

Technical  component 

•  Technology  standards,  services,  and  infrastructure 
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IT  Policies,  Procedures,  and  Practices 

Enterprise  Architecture  —  Overview  (continued) 


OMB  guidelines  also  require  agencies  to  establish  two  key  processes  to  maintain  and 
implement  the  architecture: 

Change  management 

•  Manages  and  documents  changes  to  the  architecture  that  are  needed  as  business 
functions  evolve 

Legacy  systems  integration 

•  Develops  and  implements  a  strategy  for  integrating  existing  and  new  systems 
that  will  permit  them  to  interoperate  cost  effectively 


We  evaluated  SSA’s  architecture  using  the  Clinger-Cohen  Act  and  guidance  issued  by 
OMB,  ourselves,  and  the  CIO  Council.5  We  also  reviewed  SSA’s  actions  to  develop 
an  enterprisewide  architecture. 


5  A  Practical  Guide  to  Federal  Enterprise  Architecture ,  Chief  Information  Officer  Council,  version  1 .0,  February  200 1 . 
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IT  Policies,  Procedures,  and  Practices 

Enterprise  Architecture  —  Evaluation  (continued) 


Activity  Assessment 


Comments 


Systems 

component 


SSA’s  architecture  documentation  describes  and  provides  diagrams 
showing  the  boundaries  and  interfaces  of  its  application  software 
systems,  which  are  categorized  as  programmatic,  administrative, 
management  information,  and  quality  assurance.  This 
documentation  defines  the  agency’s  programmatic  software 
architecture,  including  its  interfaces,  and  identifies  software 
common  to  multiple  systems.  It  also  shows  the  relationship 
between  its  business  critical  data,  key  business  applications,  and 
support  applications.  However,  existing  architectures  and 
architecture  definitions  have  not  been  completely  updated, 
organized,  and  brought  together  under  an  enterprisewide 
framework.  In  addition,  SSA  has  not  completed  efforts  to  define 
its  targeted  architecture  to  reflect  its  future  service  delivery  vision 
(Social  Security  2010  Vision)  and  e-business  goals. 


O  Incomplete  or  obsolete 

policies  and  procedures;  ad- 
hoc  practices 


Policies  or  procedures  for  key  functions; 
selected  key  practices 


Comprehensive,  current  policies  and  procedures;  a  /a 
practices  adhere  to  policies,  procedures,  and  ' 

generally  accepted  standards 
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IT  Policies,  Procedures,  and  Practices 

Enterprise  Architecture  --  Evaluation  (continued) 


rasTTM.  / . 


Activity 


Technical 

component 


Assessment 


Comments 


SSA’s  documentation  provides  strategic  guidance  for  the 
development  of  new  business  solutions  and  technologies  and  the 
enhancement  or  maintenance  of  current  systems.  SSA’s  Systems 
Enterprise  Architecture  System  provides  technology  standards, 
tools,  and  services  to  support  the  agency’s  local,  network,  and 
mainframe  infrastructures.  SSA  has  established  standards  for  new 
IT  technologies,  such  as  the  Internet  and  Web  development.  SSA 
also  has  established  an  Architecture  Review  Board  which  reviews 
projects  to  ensure  that  they  are  compliant  with  existing 
architecture  policies  and  support  the  agency’s  business  and 
strategic  plans.  However,  existing  architectures  and  architecture 
definitions  have  not  been  completely  updated,  organized,  and 
brought  together  in  an  enterprisewide  framework.  In  addition, 
SSA  has  not  completed  efforts  to  define  its  targeted  architecture  to 
reflect  its  future  service  delivery  vision  (Social  Security  2010 
Vision)  and  e-business  goals. 


O  Incomplete  or  obsolete  p°l'c*es  or  procedures  for  key  functions; 

policies  and  procedures;  ad-  selected  key  practices 

hoc  practices 


Comprehensive,  current  policies  and  procedures; 
practices  adhere  to  policies,  procedures,  and 
generally  accepted  standards 
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IT  Policies,  Procedures,  and  Practices 

Enterprise  Architecture--  Evaluation  (continued) 


n 


Activity 


Change 

management 


Legacy  systems 
integration 


Assessment 


Comments 


SSA’s  Systems  Enterprise  Architecture  System  provides  principles 
and  guidance  for  implementing  systems  to  help  ensure  compliance 
with  the  agency’s  strategic  plans.  SSA’s  Architecture  Review 
Board  reviews  projects  to  support  change  management  decisions. 
SSA  also  has  configuration  management  and  change  management 
guidance  and  processes  at  the  IT  project  level.  However,  SSA  has 
not  completed  efforts  to  establish  an  enterprise  architecture 
maintenance  process,  including  an  enterprisewide  architecture 
change  management  process. 

SSA’s  Systems  Enterprise  Architecture  System  provides  principles, 
guidance,  and  tools  for  supporting  legacy  systems  integration. 
SSA’s  systems  planning  process  provides  support  for  legacy 
systems  integration.  In  addition,  SSA’s  Architecture  Review  Board 
reviews  projects  to  support  effective  system  design  and  integration 
planning  decisions.  However,  SSA  has  not  completed  efforts  to 
establish  an  enterprise  architecture  maintenance  process,  including 
a  formal  enterprisewide  architecture  legacy  systems  integration.  In 
addition,  SSA  has  not  completed  efforts  to  define  its  targeted 
architecture  to  reflect  its  future  service  delivery  vision  (Social 
Security  Vision  2010)  and  c-business  goals. 


O  Incomplete  or  obsolete 

policies  and  procedures;  ad- 
hoc  practices 


Policies  or  procedures  for  key  functions; 
selected  key  practices 


Comprehensive,  current  policies  and  procedures; 
practices  adhere  to  policies,  procedures,  and 
generally  accepted  standards 
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•  Until  SSA  completes  its  enteiprisewide  architecture,  including  (1)  updating  and 
organizing  its  architectures  under  an  enteiprisewide  framework,  and  (2)  defining  its 
targeted  architecture  to  reflect  its  future  service  delivery  vision  and  e-business  goals, 
SSA  lacks  assurance  that  its  architecture  adequately  supports  the  agency’s  current  and 
future  information  processing  needs. 

•  Without  an  effective  enterprisewide  architecture  change  management  process,  SSA 
lacks  assurance  that  it  can  effectively  manage  and  document  changes  to  its 
architecture  as  business  functions  evolve  and  new  technologies  are  acquired. 

•  Without  an  effective  enteiprisewide  legacy  system  integration  process,  SSA  lacks 
assurance  that  new  software  and  hardware  technologies  will  interoperate  with  existing 
systems  in  a  cost-effective  manner. 
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Enterprise  Architecture 

Suggested  Areas  for  Improvement 


SSA  should: 

•  Complete  key  elements  of  its  enterprisewide  architecture  including  (1)  finalizing  its 
enterprisewide  architecture  framework,  (2)  updating  and  organizing  its  architectures 
and  architecture  definitions  under  the  framework,  and  (3)  reflecting  its  future  service 
delivery  vision  and  e-business  goals.  In  addition,  it  should  set  target  milestones  for 
completing  these  architecture  components. 


•  Ensure  that  change  management  and  legacy  system  integration  policies,  procedures, 
and  processes  are  effectively  implemented  across  the  agency.  SSA  should  also  set 
target  dates  for  full  implementation  of  these  maintenance  processes. 
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•  SSA  recognizes  the  need  to  strengthen  its  enterprise  architecture  to  ensure 
interoperability  and  minimize  cost,  and  reported  that  it  has  taken  the  following 
actions. 


•  In  April  2001 ,  SSA  established  the  Office  of  Information  Technology 
Architecture.  This  office  is  responsible  for  directing  an  enterprisewide 
architecture  program  to  modernize  the  agency’s  infrastructure  by  establishing 
and  implementing  standards  for  common  hardware,  software,  and  processes. 

•  SSA  has  developed  a  proposed  architecture  framework  that  provides  an  over¬ 
arching  guide  for  defining  its  existing  and  planned  architectures.  It  also  will  be 
used  to  update  and  organize  its  architectures  and  related  products  under  this 
proposed  framework.  SSA  stated  that  it  expects  to  complete  the  existing  and 
target  architectures  for  its  IT  infrastructure  by  the  end  of  September  2001 . 

•  SSA  has  drafted  an  IT  Infrastructure  Target  Architecture  Strategic  Planning 
Model.  This  model  is  based  on  SSA’s  future  service  delivery  vision  and  e- 
business  goals. 


•  SSA  stated  that  it  is  establishing  the  foundations  for  its  change  management  and 
legacy  system  integration  processes. 
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IT  Policies,  Procedures,  and  Practices 

Software  Acquisition  and  Development  —  Overview 


Many  organizations  rely  on  software-intensive  systems  to  perform  their  missions.  The  quality  of  these 
systems’  software  is  governed  largely  by  the  quality  of  the  processes  involved  in  acquiring  or 
developing  the  software,  and  in  maintaining  it.  Carnegie  Mellon  University’s  Software  Engineering 
Institute  (SEI),  recognized  for  its  expertise  in  software  processes,  has  developed  models  and  methods 
for  determining  an  organization’s  software  process  maturity. 

SEI’s  Capability  Maturity  ModelSM  (CMM®)6  provides  a  framework  of  five  maturity  levels  that  can 
be  used  to  identify  an  organization’s  current  process  strengths  and  weaknesses,  and  to  develop  a 
structured  plan  for  incremental  process  improvement.  The  five  maturity  levels  are: 

1 .  Initial:  the  software  process  is  characterized  as  ad  hoc  and  few  processes  are  defined. 

2.  Repeatable:  basic  project  management  processes  are  established;  the  necessary  process  discipline 
is  in  place  to  repeat  earlier  successes. 

3.  Defined:  software  processes  are  documented  and  standardized;  all  projects  use  an  approved, 
tailored  version  of  the  organization’s  standard  software  processes  for  acquiring  or  developing  software 
products  and  services. 

4.  Managed/Quantitative:  detailed  measures  of  the  software  processes,  products,  and  services  are 
collected;  the  software  processes  and  products  arc  quantitatively  understood  and  controlled. 

5.  Optimizing:  continuous  process  improvement  is  enabled  by  quantitative  feedback  from  the  process 
and  from  piloting  innovative  ideas  and  technologies. 


Capability  Maturity  Mode!SM  is  the  service  mark  of  Carnegie  Mellon  University,  and  CMM^  is  registered  in  the  U.S.  Patent  and 
Trademark  Office. 
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IT  Policies,  Procedures,  and  Practices 

Software  Acquisition  and  Development  —  Overview  (continued) 


The  CMM’s  maturity  levels  2  through  5  require  the  verifiable  existence  and  use  of  certain 
software  processes,  known  as  key  process  areas  (KJPA). 


SEI  has  developed  separate  maturity  models,  with  supporting  KPAs,  for  both  software 
acquisition  and  software  development. 

In  1997,  SSA’s  Office  of  Systems  established  the  Software  Process  Improvement  (SPI)  initiative 
to  help  the  organization  meet  its  objective  to  improve  the  predictability  of  systems  delivery, 
increase  productivity,  and  improve  the  quality  of  software  products.  The  SPI  program  has  been 
instrumental  in  developing  new  software  development  policies  and  procedures  and  an  Intranet 
web-based  guide  to  aid  project  managers  and  team  members  in  planning  and  executing  project- 
related  activities.  The  SPI  program  has  also  participated  in  developing  project  management 
training  that  has  been  attended  by  47  project  managers  across  the  Office  of  Systems.  SSA 
reported  that  about  60  projects  have  implemented  the  new  software  development  policies  and 
processes  and  each  project  has  a  designated  SPI  representative  to  consult  with  managers  and 
teams  on  the  software  improvement  process. 
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IT  Policies,  Procedures,  and  Practices 

Software  Acquisition  and  Development  —  Overview  (continued) 


We  evaluated  SSA’s  policies  and  procedures  on  software  development  against  SEI’s  Software 
Development  CMM.  While  we  evaluated  SSA’s  software  development  processes  against 
selected  components  in  all  applicable  level  2  KPAs,  our  review  was  limited  and  does  not 
constitute  a  software  capability  maturity  evaluation.  Our  evaluation  team  was  led  by,  and 
staffed  with,  SEI-trained  software  specialists. 


We  reviewed  two  software  development  projects— the  Electronic  Disability  System  (eDIB)  and 
the  Earnings  Management  Information  Operational  Data  Store  (EMODS)— at  SSA’s 
headquarters.  We  chose  these  projects  after  consulting  with  SSA  officials.  The  selected 
projects  include  an  ongoing  effort  that  is  to  support  a  key  agency  initiative,  but  has  a  histoiy  of 
software  development  and  project  management  problems,  and  a  completed  software 
development  effort  that  supports  a  key  initiative. 


We  did  not  evaluate  SSA’s  software  acquisition  policies  or  processes  because  the  agency 
reported  that  it  develops  most  of  its  software  applications  in-house. 
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Software  Acquisition  and  Development  —  Overview  (continued) 

■  Accountability  ♦  Integrity  *  Reliability 

Applicable  software  development  KPAs: 

•  Requirements  management-establishes  and  documents  common  understandings  of  the 
customer's  requirements  between  the  customer  and  the  software  project  team. 

•  Software  project  planning— identifies  and  organizes  the  work  elements  for  performing  the 
software  engineering  and  managing  the  project. 

•  Software  project  tracking  and  oversight— measures  and  controls  the  performance,  cost, 
and  schedule  objectives  of  the  project  throughout  its  life.  It  provides  visibility  into  actual 
progress  so  that  management  can  act  effectively  when  the  software  project's  performance 
deviates  significantly  from  plans. 

•  Software  quality  assurance-determines  if  the  process  being  used  by  the  project  and  the 
resulting  products  comply  with  the  organization’s  policies  and  procedures. 

•  Software  configuration  management— establishes  and  maintains  the  integrity  of  the 
products  throughout  the  project's  software  life  cycle,  through  a  structured  process  for 
documenting  proposed  and  approved  changes  in  requirements  and  plans. 
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IT  Policies,  Procedures,  and  Practices 

Software  Development  --  Evaluation 


Activity 

(Key  process  area) 


Requirements 

management 


Assessment 


Comments 


SSA  has  a  policy  for  requirements  management.  Systems  had 
documented  requirements  for  both  of  the  projects  we  reviewed. 
However,  one  of  the  projects  did  not  provide  evidence  that  senior 
management  is  briefed  on  requirements  management  activities. 


Software  project 
planning 


SSA  has  a  policy  and  procedures  for  software  project  planning  that 
provide  guidance  for  estimating  a  software  project’s  effort  and 
schedule.  However,  SSA’s  practices  for  the  projects  we  reviewed 
were  not  consistent.  For  instance,  only  one  of  the  project  managers 
had  a  documented  software  development  plan  to  manage  the 
software  effort.  The  other  project  team  participated  in  some 
project  planning  activities,  but  the  team  did  not  have  a  documented 
software  development  plan  to  manage  its  latest  software  effort. 


O  Incomplete  or  obsolete  Policies  or  procedures  for  key  functions; 

policies  and  procedures;  ad-  selected  key  practices 

hoc  practices 


Comprehensive,  current  policies  and  procedures; 
practices  adhere  to  policies,  procedures,  and 
generally  accepted  standards 
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IT  Policies,  Procedures,  and  Practices 

Software  Development  —  Evaluation  (continued) 


Activity 

(Key  process  area) 


Assessment 


Comments 


Software  project 
tracking  and 
oversight 


SS  A  has  a  policy  and  procedures  for  project  tracking  and  oversight. 
While  some  tracking  and  oversight  activities  were  performed,  we 
found  that  a  documented  software  development  plan  did  not  exist 
to  track  software  activities  for  one  of  the  projects. 


Software  quality 
assurance 


SSA  has  a  policy  and  draft  procedures  for  quality  assurance.  One 
project  had  a  documented  quality  assurance  plan  and  results  of 
quality  assurance  reviews.  However,  SSA  lacked  quality  assurance 
practices  for  the  other  project  we  reviewed. 


Software 

configuration 

management 


SSA  has  a  policy  and  procedures  for  configuration  management 
While  one  project  had  a  documented  configuration  management 
plan  and  results  of  configuration  management  audits,  SSA 
provided  no  evidence  that  configuration  management  practices 
were  being  performed  for  the  other  project. 


O  Incomplete  or  obsolete  P°l'c'cs  or  procedures  for  key  functions; 

policies  and  procedures;  ad-  selected  key  practices 

hoc  practices 


Comprehensive,  current  policies  and  procedures; 
practices  adhere  to  policies,  procedures,  and 
generally  accepted  standards 
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IT  Policies,  Procedures,  and  Practices 

Impact  of  Software  Development  Weaknesses 


While  SSA’s  SPI  program  has  been  committed  to  introducing  sound  software 
development  policies  and  procedures  within  Systems,  without  consistently  applying 
the  processes,  SSA  lacks  assurance  that  it  will  develop  and  deliver  quality  software 
on  schedule  and  at  a  reasonable  cost. 

Given  that  SSA  develops  most  of  its  software  applications,  the  lack  of  sound 
management  and  technical  practices  puts  the  agency  at  risk  that  it  will  not  meet  its 
goals  of  developing  a  technological  infrastructure  to  support  its  service  vision. 
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Software  Development 

Suggested  Areas  for  Improvement 


SSA  should: 


•  Ensure  that  the  requirements  management,  project  planning,  project  tracking  and  oversight,  quality 
assurance,  and  configuration  management  policies  and  procedures  developed  by  the  SPI  program 
be  consistently  applied  across  all  software  development  efforts. 


•  Develop  and  implement  a  procedure  to  grant  waivers  to  software  development  projects  when 
deviations  from  policies  and  procedures  occur.  This  waiver  should  include  documenting  the 
reason(s)  for  the  deviation,  along  with  official  approval  from  the  Deputy  Commissioner  for 
Systems  and  the  respective  Associate  Commissioner  who  has  the  lead  for  the  software  project. 
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Software  Development 

Plans  to  Address  Software  Development  Weaknesses 


SSA  stated  that  it  is  taking  the  following  actions: 

•  The  Office  of  Systems  senior  executives  hold  bi-weekly  meetings  with  the  Associate 
Commissioner  for  each  Systems  component  to  monitor  projects’  adherence  to  SSA’s 
software  development  policies  and  procedures. 

•  The  Office  of  Systems  reorganized  the  management  of  one  of  the  projects  reviewed  to  ensure 
consistent  application  of  its  software  development  policies  and  procedures.  Further,  the  SPI 
office  is  holding  separate  meetings  with  the  project  manager  and  team  to  provide  them 
additional  guidance  on  implementing  software  development  policies  and  procedures.  SSA 
recently  reported  that  the  project  is  undergoing  an  in-process  review  to  update  requirements 
and  assess  the  impact  of  changing  technology. 

•  The  Office  of  Systems  developed  a  draft  waiver  request  procedure  for  software  development 
projects  when  deviations  from  policies  and  procedures  are  necessary. 
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IT  Policies,  Procedures,  and  Practices 

Information  Security  —  Overview 


Information  security  protects  an  organization’s  computer-supported  resources  and  assets. 
Such  protection  ensures  the  integrity,  appropriate  confidentiality,  and  availability  of  an 
organization’s  data  and  systems.  Integrity  means  that  data  have  not  been  altered  or 
destroyed  in  an  unauthorized  manner.  Confidentiality  means  that  information  is  not 
made  available  or  disclosed  to  unauthorized  individuals,  entities,  or  processes. 
Availability  means  that  data  will  be  accessible  or  usable  upon  demand  by  an  authorized 
entity. 


Key  activities  for  managing  information  security  risks  include: 

•  Risk  assessment  —  identifying  security  threats  and  vulnerabilities  to  information  assets 
and  operational  capabilities,  ranking  risk  exposures,  and  identifying  cost-effective 
controls 

•  Awareness  —  promoting  awareness  concerning  security  risks  and  educating  users  about 
security  policies  and  procedures 

•  Controls  —  implementing  controls  necessary  to  deal  with  identified  risks  to  information 
systems,  physical  facilities,  and  networks  in  order  to  protect  them 
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IT  Policies,  Procedures,  and  Practices 

Information  Security  --  Overview  (continued) 


•  Evaluation  —  monitoring  effectiveness  of  controls  and  awareness  activities  through 
periodic  evaluation 

•  Central  management  —  coordinating  security  activities  through  a  centralized  group 


We  evaluated  SSA’s  policies  and  procedures  on  information  security  using  the  Clinger- 
Cohen  Act,  the  Computer  Security  Act,  and  guidelines  issued  by  OMB,  ourselves,  and 
the  National  Institute  of  Standards  and  Technology.  We  reviewed  agency  security  plans, 
sensitive  system  plans,  security  evaluation  reports,  and  system  risk  assessment 
documentation.  We  also  reviewed  the  Social  Security  Performance  and  Accountability 
Report  for  Fiscal  Year  2000 .  We  reviewed  PricewaterhouseCoopers’  management 
letters  regarding  SSA’s  fiscal  year  2000  financial  statement  audit  and  the  related  SSA 
management  responses  involving  information  security.  We  did  not  assess  the  scope  and 
adequacy  of  penetration  tests  performed  by  PricewaterhouseCoopers  and  Janus 
Associates  on  SSA’s  networks. 
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IT  Policies,  Procedures,  and  Practices 

Information  Security  --  Evaluation 


Activity  Assessment 


Comments 


Risk  assessment 


SSA  has  an  ongoing  risk  management  program  and  has  developed 
a  plan  for  protecting  its  critical  assets.  SSA  recently  included  risk 
assessments  as  part  of  its  Management  Control  Review  Program, 
which  includes  reviews  of  the  agency’s  key  assets  and  each 
financial  management  system  over  a  five-year  cycle.  SSA  is 
undertaking  a  risk  assessment  of  its  National  Computer  Center. 
However,  SSA  has  not  completed  documentation  on  technical 
system  standards  (security  settings)  and  policy/risk  models  for  its 
major  platforms  (e.g.,  UNIX,  WindowsNT,  etc.,).  This 
documentation  is  to  describe  risks,  underlying  policy,  and 
recommended  standard  settings  for  its  major  platforms.  SSA 
reports  that  these  standard  settings  will  mitigate  the  identified  risks 
for  the  platforms. 


O  Incomplete  or  obsolete  Po,icies  or  Proceduies  for  ke>'  functkms: 

policies  and  procedures;  ad-  selected  key  practices 

hoc  practices 


Comprehensive,  current  policies  and  procedures; 
practices  adhere  to  policies,  procedures,  and 
generally  accepted  standards 
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IT  Policies,  Procedures,  and  Practices 

Information  Security  —  Evaluation  (continued) 


"A  A' 


. 3- 


a 


Activity 


Assessment 


Comments 


Awareness 


SSA’s  security  plan  has  a  requirement  for  security  awareness  and 
training.  SSA  provides  various  methods  of  security  awareness  and 
training,  including  seminars,  a  security-based  Intranet  Web  site, 
Intranet-based  security  self-assessment  modules,  and  annual 
security  conferences.  SSA  recently  began  providing  awareness 
briefings  to  executive-level  officials.  SSA  also  provides  security 
training  to  all  new  system  personnel  who  work  with  sensitive 
systems.  Further,  SSA  recently  drafted  comprehensive  information 
security  guidance  for  state  Disability  Determination  Services, 
which  conveys  the  agency’s  expectations  for  information  security. 


Incomplete  or  obsolete 
policies  and  procedures:  ad- 
hoc  practices 


Policies  or  procedures  for  key  functions: 
selected  key  practices 


Comprehensive,  current  policies  and  procedures; 
practices  adhere  to  policies,  procedures,  and 
generally  accepted  standards 
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IT  Policies,  Procedures,  and  Practices 

Information  Security  --  Evaluation  (continued) 


— :"m/ 


Activity  Assessment 


Comments 


Information 
system  controls 


Physical  security 
controls 


SSA  issued  a  security  plan  for  general  support  systems.  SSA  has 
finalized  accreditation  of  its  systems  and  certified  each  of  its  16 
sensitive  systems,  in  accordance  with  OMB  Circular  A-130.  SSA 
also  is  improving  its  change  control  process  by  implementing  an 
automated  system  release  process.  However,  SSA  has  not 
completed  technical  standards  and  policy/risk  models  for  its  major 
platforms.  When  completed,  SSA  expects  these  standards  and 
models  to  strengthen  information  system  controls  by  forming  the 
basis  for  developing  an  individual  security  matrix  for  each 
application  utilizing  the  platform  security  standards  (settings), 

SSA  has  a  policy  to  improve  systems  security  through  physical 
security  enhancements,  SSA  has  conducted  vulnerability  reviews 
of  key  agency  assets,  including  its  headquarters  and  central 
operations  facilities.  While  SSA  maintains  appropriate  access 
controls  over  its  National  Computer  Center  (NCC)  building,  an 
independent  auditor  identified  a  lack  of  appropriate  physical  and 
logical  security  at  the  NCC  4th  floor  console  area.  SSA  reported 
that  it  has  implemented  a  short-term  solution  to  this  weakness  by 
providing  automatic  log-offs  for  the  workstations  in  this  area. 
SSA’s  long-range  solution  calls  for  moving  the  console  area 
equipment  to  a  more  secure  area. 


O  Incomplete  or  obsolete  Policies  or  procedures  for  key  functions; 

policies  and  procedures;  ad-  selected  key  practices 

hoc  practices 


Comprehensive,  current  policies  and  procedures; 
practices  adhere  to  policies,  procedures,  and 
generally  accepted  standards 
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IT  Policies,  Procedures,  and  Practices 

Information  Security  —  Evaluation 


Activity 


Assessment 


Comments 


Network  access 
controls 


SSA’s  security  program  provides  general  guidance,  goals,  and 
objectives  for  the  agency’s  networks  and  systems.  SSA  reported 
that  it  recently  finalized  its  firewall  security  policy.  To  improve  its 
network  security,  SSA  reported  that  it  plans  to  hire  three  full-time 
staff  and  three  contractor  staff  to  perform  intrusion  and  penetration 
testing  activities.  In  addition,  a  contractor  and  an  independent 
auditor  have  conducted  penetration  tests  of  the  agency’s  network. 
These  tests  were  unable  to  penetrate  SSA’s  network  from  the 
outside.  However,  SSA  has  not  yet  completed  documenting  its 
technical  system  standards  and  risk/models  for  its  major  platforms. 
SSA  reports  that  this  documentation  will  describe  risks,  and  identify 
standard  minimal  security  settings  for  SSA’s  major  platforms. 


O  Incomplete  or  obsolete  Policies  or  procedures  for  key  functions:  Comprehensive,  current  policies  and  procedures;  gQ 

policies  and  procedures;  ad*  selected  key  practices  practices  adhere  to  policies,  procedures,  and 

hoc  practices  generally  accepted  standards 
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IT  Policies,  Procedures,  and  Practices 

Information  Security  --  Evaluation 


Activity  Assessment 


Comments 


Evaluation 


SSA  has  programs  and  procedures  for  evaluating  its  facilities  and 
systems  security.  For  instance,  SSA’s  Financial  Management 
Review  Program  is  responsible  for  reviewing  each  financial 
management  system  over  a  5-year  period.  However,  SSA  has 
not  conducted  consistent  monitoring  of  state  Disability 
Determination  Services’  information  security  activities.  In 
addition,  SSA  has  not  yet  completed  detailed  technical  standards 
and  policy/risk  models  for  its  major  platforms.  This 
documentation  would  support  the  agency’s  evaluation  capability 
by  identifying  standard  minimal  security  settings  for  these 
platforms,  monitoring  techniques,  and  corrective  actions  for 
noncompliance. 


O  Incomplete  or  obsolete  Policies  or  procedures  for  key  functions; 

policies  and  procedures;  ad*  selected  key  practices 

hoc  practices 


Comprehensive,  current  policies  and  procedures;  r  i 
practices  adhere  to  policies,  procedures,  and  ^  A 

generally  accepted  standards 
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IT  Policies,  Procedures,  and  Practices 

Information  Security  —  Evaluation  (continued) 


Activity  Assessment 


Comments 


Central 

management 


SSA  has  an  office  that  oversees  all  of  the  agency’s  information 
systems  security  and  management  control  processes.  SSA  has 
improved  its  information  security  over  the  past  4  years.  For 
example,  over  this  period,  SSA  has  corrected  weaknesses  related  to 
4  of  5  previously  reported  serious  weaknesses  (i.e.,  reportable 
conditions)  involving  internal  controls.  However,  SSA’s  office 
responsible  for  agencywide  information  security  has  not  ensured 
the  development  of  policy/risk  models  and  technical  system 
standards  for  its  major  platforms.  Such  documentation  would 
facilitate  improvement  of  SSA ’s  entitywide  security  framework  by 
strengthening  the  agency’s  capability  to  manage,  monitor,  and 
enforce  its  policies  related  to  these  platforms. 


O  Incomplete  or  obsolete  I’°*‘c'cs  or  procedures  for  key  functions; 

policies  and  procedures;  ad-  key  practices 

hoc  practices 


Comprehensive,  current  policies  and  procedures; 
practices  adhere  to  policies,  procedures,  and 
generally  accepted  standards 
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k  GAO 

Accountability*  Integrity  »  Reliability 


IT  Policies,  Procedures,  and  Practices 

Impact  of  Information  Security  Weaknesses 


•  Without  technical  system  standards  (settings)  and  policy/risk  models  for  its  major 
platforms,  SSA  lacks  detailed  guidance  for  managing  the  security  of  its  major 
platforms  and  associated  networks  and  systems.  This  lack  of  guidance  also  impairs 
SSA’s  ability  to  provide  effective  central  oversight  and  evaluation  of  information 
security  related  to  these  platforms  and  associated  networks  and  systems. 
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SSA  should: 


•  Strengthen  its  entitywide  security  framework  by  completing  policy/risk  models  and 
technical  system  standard  settings  for  its  major  systems  platforms. 

•  Develop  monitoring  techniques  and  corrective  actions  for  noncompliance  for  its  major 
systems  platforms. 

•  Use  the  platform  security  settings  to  strengthen  security  for  each  application  utilizing 
these  platforms. 
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GAO 

Accountability  ♦  Integrity  ♦  Reliability 


IT  Information  Security 

Plans  To  Address  IT  Information  Security  Weaknesses 


SSA  has  established  management  responses  and  corrective  actions  for  addressing 
weaknesses  identified  by  the  agency’s  Office  of  Inspector  General  as  part  of  the 
financial  statement  audit.  These  actions  include: 


•  plans  to  complete  the  development  of  policy/risk  models  and  technical  standards 
for  all  SSA  platforms  by  September  2001 . 

•  completion  of  a  firewall  security  policy. 


•  hiring  additional  staff  and  contract  support  to  strengthen  the  agency’s  network 
security  activities. 
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Human  capital  centers  on  viewing  people  as  assets  whose  value  to  an  organization  can 
be  enhanced  through  investment.  As  the  value  of  people  increases,  so  does  the 
performance  capacity  of  the  organization,  and  therefore  its  value  to  clients  and  other 
stakeholders. 

To  maintain  and  enhance  the  capabilities  of  IT  staff,  the  organization  should  conduct 
four  basic  activities: 

•  Requirements— assess  the  knowledge  and  skills  needed  to  effectively  perform  IT 
operations  to  support  an  agency’s  mission  and  goals 

•  Inventory— determine  the  knowledge  and  skills  of  current  IT  staff  to  identify 
gaps  in  needed  capabilities 

•  Workforce  strategies  and  plans-develop  strategies  and  implement  plans  for 
hiring,  training,  and  professional  development  to  fill  the  gap  between 
requirements  and  current  staffing 


•  Progress  evaluation— evaluate  progress  made  in  improving  IT  human  capital 
capability,  and  use  the  results  of  these  evaluations  to  continuously  improve  the 
organization’s  human  capital  strategies 
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Agao 

Accountability  *  Integrity  *  Reliability 


IT  Policies,  Procedures,  and  Practices 

IT  Human  Capital  —  Overview  (continued) 


We  evaluated  SSA’s  policies  and  procedures  on  IT  human  capital  using  the  Clinger- 
Cohen  Act  and  our  guide,  Human  Capital :  A  Self-Assessment  Checklist  for  Agency 
Leaders ? 


7GAO/OCG-O0-14G,  version  1,  September  2000. 
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GAO 

Accountability  *  Integrity  *  Reliability 


IT  Policies,  Procedures,  and  Practices 

IT  Human  Capital  --  Evaluation 


r 


Activity  Assessment 


Comments 


Requirements 


SSA’s  Office  of  Systems  is  responsible  for  identifying,  evaluating, 
and  analyzing  all  of  Systems’  IT  personnel  requirements  and 
ensuring  that  performance  qualifications  meet  mission  needs. 
Systems  identified  the  number  of  IT  staff  needed  now  and  in  the 
future  and  also  identified  the  competencies  required.  However,  the 
number  of  IT  staff  needed  are  not  explicitly  linked  to  the 
competencies.  This  information  is  necessary  to  project  Systems’ 
workforce  needs  far  enough  in  advance  to  allow  adequate  time  for 
recruiting,  training,  or  outsourcing. 


O  Incomplete  or  obsolete  Policies  or  procedures  for  key  functions; 

policies  and  procedures;  ad-  selected  key  practices 

hoc  practices 


Comprehensive,  current  policies  and  procedures; 
practices  adhere  to  policies,  procedures,  and 
eeucrally  accepted  standards 
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GAO 

Accountability  *  Integrity  *  Reliability 


IT  Policies,  Procedures,  and  Practices 

IT  Human  Capital  --  Evaluation  (continued) 


Activity 


Assessment 


Inventory 


Comments 


SSA  does  not  have  an  inventory  of  the  knowledge  and  skills  of 
current  IT  staff.  The  Office  of  Systems  stated  that  it  is  generally 
aware  of  the  skills  that  its  staff  currently  has  because  the  office  is 
organized  along  functional  lines  and  certain  components  are 
responsible  for  specific  IT  functions.  For  instance,  SSA  reported 
that  the  Office  of  Telecommunications  and  Systems  Operations  has 
staff  with  network  and  telecommunications  skills.  Systems  also 
uses  two  information  systems  that  include  data  on  time  charged  to 
assignments  and  training  received,  to  match  individuals  to  new 
assignments.  Nonetheless,  without  a  knowledge  and  skills 
inventory,  SSA  cannot  perform  an  analysis  to  determine  whether  a 
gap  exists  between  current  and  future  IT  staff  requirements  and 
existing  staffing. 


Incomplete  or  obsolete 
policies  and  procedures;  ad- 
hoc  practices 


Policies  or  procedures  for  key  functions; 
selected  key  practices 


Comprehensive,  current  policies  and  procedures;  vfQ 
practices  adhere  to  policies,  procedures,  and 
generally  accepted  standards 
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Activity 


Workforce 
strategies  and 
plans 


|  Progress 
j  evaluation 


Assessment 


Comments 

SSA  has  procedures  to  hire,  train,  and  professionally  develop  IT 
staff.  In  practice,  Systems  usually  offsets  losses  due  to  attrition  by 
hiring  recent  college  graduates  and  experienced  professionals  from 
the  private  sector  and  other  federal  agencies.  Systems  also  utilizes 
retention  bonuses,  training  and  professional  development 
programs,  and  contractor  support  to  maintain  a  cadre  of  technical 
staff.  However,  there  is  no  assurance  that  these  workforce 
strategies  and  plans  will  be  effective  because  they  are  not  linked  to 
or  supported  by  a  gap  analysis  detailing  current  and  future  needed 
IT  capabilities. 

SSA’s  Office  of  Systems  is  responsible  for  evaluating  its  progress 
in  improving  IT  human  capital  capabilities.  The  Deputy 
Commissioner  holds  bi-weekly  meetings  to  discuss  reports  showing 
Systems’  progress  in  filling  IT  positions  and  identify  actions 
needed  to  improve  the  recruitment  strategy.  Further,  training 
courses  are  evaluated  to  assess  their  effectiveness.  However,  the 
office  has  not  fully  analyzed  or  reported  on  the  effectiveness  of  its 
workforce  strategies  and  plans. 
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GAO 

Accountability  »  Integrity  *  Reliability 


IT  Policies,  Procedures,  and  Practices 

Impact  of  IT  Human  Capital  Weaknesses 


Without  a  complete  needs  assessment,  SSA  lacks  assurance  that  it  has  effectively 
identified  the  number  of  staff  it  will  require  with  the  specific  knowledge  and  skills 
needed  to  sustain  its  current  and  future  operations  and  develop  strategies  to  fill  these 
needs.  This  is  especially  critical  given  that  SSA  projects  that  the  Office  of  Systems 
could  lose  approximately  1,339,  or  about  43  percent,  of  its  current  staff  between  the 
years  2000  and  2010,  of  which  767  are  computer  specialists. 


Without  an  inventory  of  IT  knowledge  and  skills,  SSA  lacks  assurance  that  it  is 
optimizing  the  use  of  its  current  IT  workforce.  Also,  SSA  will  not  have  data  on  the 
extent  of  its  IT  skill  gaps.  This  information  is  necessary  to  develop  effective 
workforce  strategies  and  plans. 


Without  analyzing  and  documenting  the  effectiveness  of  its  workforce  strategies 
and  plans,  senior  decisionmakers  lack  assurance  that  they  are  effectively  addressing 
IT  knowledge  and  skill  gaps. 
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GAO 

Accountability*  Integrity  ♦  Reliability 


IT  Human  Capital 

Suggested  Areas  for  Improvement 


The  Office  of  Systems  should: 

•  complete  an  assessment  of  its  current  and  future  IT  knowledge  and  skill  needs 

•  develop  and  maintain  an  inventory  of  its  current  IT  staff  s  knowledge  and  skills 

•  perform  an  analysis  to  determine  whether  a  gap  exists  between  current  and  future  IT  staff 
requirements  and  current  staffing 

•  ensure  that  its  workforce  strategies  support  the  results  of  its  gap  analysis 

•  analyze  and  document  the  effectiveness  of  its  strategies  for  recruiting,  training,  and  retaining 
IT  personnel,  and  use  the  results  to  continuously  improve  its  IT  human  capital  strategies 
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GAO 

Accountability*  Integrity  »  Reliability 


IT  Human  Capital 

Plans  to  Address  IT  Human  Capital  Weaknesses 


Office  of  Systems  officials  reported  that  they  are: 

•  looking  at  private  sector  organizations  with  large  systems  divisions  and  other  federal 
agencies  to  determine  how  they  have  implemented  a  skills  inventory  database 


•  benchmarking  industry  best  practices  and  cost-benefit  analyses  to  assess  whether  this 
investment  would  add  value.  If  SSA  determines  that  value  is  added,  it  will  seek  funding 
approval  to  purchase  an  inventory  system. 

•  establishing  a  systems  recruitment  team  that  will  report  directly  to  the  Deputy  Commissioner 
for  Systems  and  will  conduct  comprehensive  studies  and  evaluations  on  the  effectiveness  of 
Systems’  recruitment  and  retention  programs. 
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In  commenting  on  a  draft  of  this  briefing,  SS  A  officials 

•  agreed  with  all  of  our  recommendations 

•  outlined  many  actions  that  it  has  planned  or  taken  in  response  to  our  recommendations 

•  offered  suggested  revisions,  which  have  been  incorporated  in  this  briefing  as  appropriate 
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SOCIAL  SECURITY 

Office  of  the  Commissioner 
July  31,  2001 


Mr.  Joel  C.  Willemssen 

Managing  Director,  Information  Technology  Issues 
U.S.  General  Accounting  Office 
Washington,  D.C.  20548 

Dear  Mr.  Willemssen: 


Thank  you  for  the  opportunity  to  review  the  draft  report,  “Information  Technology  Management: 
Social  Security  Administration  Practices  Can  Be  Improved”  (GAO-0 1-961).  Our  comments  on 
the  report  are  enclosed.  If  you  have  any  questions,  please  have  your  staff  contact  Mark  Welch  at 
(410)965-0374. 


^im/erely, 


Acting  Commissione 
of  Social  Security 


SOCIAL  SECURITY  ADMINISTRATION  BALTIMORE  MD  2I235-OOQ1 
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COMMENTS  OF  THE  SOCIAL  SECURITY  ADMINISTRATION  (SSA)  ON  THE 
GENERAL  ACCOUNTING  OFFICE  (GAO)  DRAFT  REPORT.  “INFORMATION 
TECHNOLOGY  MANAGEMENT:  SOCIAL  SECURITY  ADMINISTRATION 
PRACTICES  CAN  BE  IMPROVED’VGAO-0 1-961) 

Thank  you  for  the  opportunity  to  provide  comments  on  this  GAO  report.  We  believe  the 
many  SSA  actions  taken,  undemay,  and  planned  that  are  outlined  below  demonstrate  our 
continuing  commitment  to  improving  SSA  information  technology  (IT)  management. 

1 .  IT  Investment  Management 

Recommendation  1 

Develop  and  implement  a  process  guide  that  establishes  the  policies,  procedures,  and  key 
criteria  for  conducting  the  IT  investment  management  process  and  guiding  executive  staff 
operations. 

SSA  Comment 

We  agTee.  The  Agency  is  identifying  gaps  in  its  current  Target  Capital  Planning  and 
Investment  Control  (CPIC)  process.  A  draft  enhanced  CPIC  document  will  be  available 
by  the  end  of  September  2001.  The  final  process  guide  will  be  available  after  the 
document  has  been  approved  by  the  new  Administration. 

Recommendation  2 

Develop  and  maintain  selection  criteria  that  include  explicit  cost,  benefit,  schedule,  and 
risk  criteria  to  facilitate  the  objective  analysis,  comparison,  prioritization,  and  selection  of 
IT  investments. 

SSA  Comment 

We  agree.  Selection  criteria  that  include  cost,  benefit,  schedule  and  risk  criteria  to 
facilitate  objective  analysis,  comparison,  prioritization  and  selection  of  IT  investments 
have  been  defined  and  will  be  included  in  SSA’s  revised  CPIC  document. 

GAO  Recommendation  3 

Analyze  and  prioritize  all  IT  investments  based  on  the  predefined  selection  criteria  and 
make  selection  decisions  according  to  the  established  process. 

SSA  Comment 

We  agree  and  have  already  begun  to  apply  the  new  selection  criteria  to  our  software 
development  projects.  We  are  expanding  this  use  to  all  of  our  projects  as  we  enter  fiscal 
year  (FY)  2002. 
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Recommendation  4 

Establish  and  annually  review  cost,  benefit,  schedule,  and  risk  life-cycle  expectations  for 
each  selected  investment. 

SSA  Comment 

We  agree  and  will  strengthen  this  in  the  Agency’s  enhanced  CPIC. 

Recommendation  5 

Revise  the  IT  oversight  process  so  that  the  executive  staff  oversees  the  comparison  of 
actual  cost,  benefit,  schedule,  and  risk  data  with  original  estimates  for  all  investments  to 
determine  whether  they  are  proceeding  as  expected  and,  if  not,  to  take  corrective  actions 
as  appropriate. 

SSA  Comment 

We  agree.  The  Federal  Acquisition  Streamlining  Act  of  1994  requires  this  for  both  major 
and  non-major  acquisition  programs  of  the  agency.  This  too  is  being  strengthened  in 
SSA’s  enhanced  CPIC. 

Recommendation  6 

Regularly  perform  post-implementation  reviews  of  IT  investments  and  develop  lessons 
learned  from  the  process. 

SSA  Comment 

We  agree.  This  issue  is  being  addressed  in  our  enhanced  CPIC. 

Recommendation  7 

Develop,  manage,  and  regularly  evaluate  the  performance  of  a  comprehensive  IT 
investment  portfolio  containing  detailed  and  summary  information  (including  data  on 
costs,  benefits,  schedules,  and  risks)  for  all  IT  investments. 

SSA  Comment 

We  agree.  This  is  being  addressed  in  our  enhanced  CPIC.  We  will  acquire  both  the 
Information  Technology  Investment  Portfolio  System  (I-TIPS)  and  Expert  Choice 
software  packages  by  the  end  of  summer  2001 ,  and  implementation  will  be  subsequently 
staged. 
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Recommendation  8 

Implement  investment  process  benchmarking  so  that  measurable  improvements  may  be 
made  to  agency  IT  investment  management  processes  based  on  those  used  by  best-in- 
class  organizations. 

SSA  Comment 

We  agree.  This  will  be  addressed  in  our  enhanced  CPIC. 

2.  Enterprise  Architecture 
Recommendation  9 

Establish  milestones  for  and  complete  key  elements  of  SSA’s  enterprise-wide 
architecture,  including  (1)  finalizing  its  framework,  (2)  updating  and  organizing  its 
architectures  and  architecture  definitions  under  the  framework,  and  (3)  reflecting  its 
future  service  delivery  vision  and  e-business  goals. 

SSA  Comment 

We  agree  with  the  elements  of  this  recommendation.  Our  plans  for  completing  the  SSA 
Enterprise  Information  Technology  Architecture  (EITA)  are  as  follows: 

1 .  Actions  are  underway  to  finalize  the  EITA  Framework  by  the  end  of  FY  200 1 . 

2.  Work  is  underway  to  update  and  organize  architecture  definitions 

under  the  EITA  Framework.  Current  emphasis  is  on  the  documentation  of  the 
SSA  IT  infrastructure.  Our  target  is  to  complete  the  existing  and  target 
architectures  for  SSA  IT  infrastructure  by  the  end  of  FY  2001 .  Planning  will  soon 
begin  for  the  documentation  of  existing  and  target  SSA  data  and  application 
architectures. 

3.  Target  architecture  definitions  for  SSA  data,  applications  and 

infrastructure  will  be  based  on  SSA's  future  service  delivery  vision  and  e-business 
goals,  as  suggested  in  the  GAO  recommendation. 

4.  By  the  end  of  calendar  year  (CY)  2001,  we  expect  to  set  target  milestones  for  the 
completion  of  all  architectural  products  defined  by  the  EITA  Framework,  This 
includes  existing  and  target  architecture  definitions  for  SSA  business  processes, 
data  and  software  applications.  Progress  against  these  milestones  will  be  tracked 
within  the  SSA  Office  of  Systems  (OS)  and  by  the  SSA  Chief  Information 
Officer. 

Recommendation  10 

Effectively  implement  change  management  and  legacy  system  integration  policies, 
procedures,  and  processes  across  the  agency,  and  set  target  dates  for  full  implementation 
of  these  maintenance  processes. 
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SSA  Comment 

We  agree.  While  we  have  established  system  change  control  processes,  these 
processes  are  not  as  well  documented  as  they  should  be  and,  as  GAO  has  noted,  they 
are  not  founded  on  the  use  of  enterprise  architecture  definitions.  Similarly,  SSA  has  a 
well-developed  system  integration  process;  however,  the  process  is  not  based  on  the 
use  of  architectural  models  to  ensure  effective  integration  of  new  and  legacy 
technologies. 

As  we  further  develop  plans  for  completing  the  architectural  products  defined  by  the 
EITA  Framework,  we  will  address  the  need  to  document  policies  and  procedures  that 
use  enterprise  architectures  for  change  management  and  system  integration.  We 
expect  to  set  milestones  for  the  development  and  institutionalization  of  such 
procedures  by  the  end  of  CY  2001. 


3.  Software  Acquisition  and  Development 
Recommendation  11 

Consistently  apply  the  requirements  management,  project  planning,  project  tracking  and 
oversight,  quality  assurance,  and  configuration  management  policies  and  procedures 
developed  by  the  software  process  improvement  program  across  all  software 
development  activities. 

SSA  Comment 

We  concur,  and  have  taken  steps  to  ensure  consistency.  Quality  Assurance 
representatives  are  now  assigned  to  each  Customer  Targeted  Work  project.  Their  role, 
among  other  things,  is  to  ensure  that  a  software  development  plan  is  prepared,  or  that  a 
waiver  is  appropriate  and  requested.  A  process  exists  to  record,  control,  and  track 
resolution  of  noncompliance. 

Recommendation  12 

Develop  and  implement  a  procedure  to  grant  waivers  to  software  development  projects 
when  deviations  from  policies  and  procedures  occur. 

SSA  Comment 

We  concur.  A  draft  procedure  for  granting  such  waivers  was  developed  in  the  first 
quarter  of  FY  2001 ,  and  the  final  procedure  was  made  available  to  users  via  our  intranet- 
based  Project  Resource  Guide  in  early  July  2001 . 
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4.  Information  Security 
Recommendation  13 

Strengthen  the  entity-wide  security  framework  by  completing  policy/risk  models  and 
technical  system  standards  (security  settings)  for  SSA’s  major  systems  platforms. 

SSA  Comment 


We  agree.  On  July  9,  2001,  we  completed  development  of  technical  system  standards 
and  risk  policy  models  for  our  major  platforms. 

Recommendation  14 


Develop  monitoring  techniques  and  corrective  actions  for  noncompliance  for  the  major 
systems  platforms. 

SSA  Comment 


We  concur.  We  continue  to  make  substantial  investments  in  software  and  hardware 
products  for  monitoring  security  preparedness,  and  in  penetration  testing  services  to 
discover  any  security  vulnerabilities. 

Recommendation  15 

Use  the  platform  security  settings  to  strengthen  security  for  each  application  utilizing 
these  platforms. 

SSA  Comment 


We  agree.  The  completion  of  the  technical  systems  standards  and  risk  policy  models  for 
our  major  platforms  noted  above  will  facilitate  enhanced  security  for  applications  using 
these  platforms. 

5.  Human  Capital 

Recommendations  16  through  20 

Complete  an  assessment  of  the  Office  of  Systems’  (OS)  current  and  future  IT  knowledge 
and  skill  needs. 

Develop  and  maintain  an  inventory  of  the  OS  current  IT  staffs  knowledge  and  skills. 

Determine  whether  a  gap  exists  between  current  and  future  IT  staff  requirements  and 
current  staffing. 

Implement  workforce  strategies  that  support  the  results  of  this  gap  analysis. 
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Analyze  and  document  the  effectiveness  of  IT  strategies  for  recruiting,  training,  and 
retaining  IT  personnel,  and  use  the  results  to  continuously  improve  its  IT  human  capital 
strategies. 

SSA  Comment 

We  concur  that  IT  human  capital  planning  needs  to  be  reviewed  and  evaluated,  and 
are  pursuing  the  following; 

-  We  are  working  with  GAO  to  develop  strong  and  appropriate  IT  human 
capital  inventory  assessment  and  management  capabilities. 

-  In  addition  to  examining  private  sector  organizations  with  large  systems 
divisions  and  other  federal  agencies  to  determine  how  they  have  implemented 
a  skills  inventory  database,  OS  is  working  with  the  SSA  Office  of  Human 
Resources  to  evaluate  various  competency-based  human  resource  tools. 

-  Based  on  information  gathered  above,  we  will  benchmark  industry  best 
practices  and  cost-benefit  analyses  to  determine  whether  such  an  investment 
would  add  value.  If  determined  that  one  of  the  existing  systems  has  value,  we 
will  seek  funding  approval  to  purchase  an  inventory  system,  and  establish 
appropriate  implementation  dates. 

-  In  January  2001,  OS  established  a  recruitment  team  that  reports  directly  to 
the  Deputy  Commissioner  for  Systems  (DCS).  The  staff  is  conducting 
comprehensive  studies  and  evaluations  on  the  effectiveness  of  OS  recruitment 
and  retention  programs  and  will  report  fmdings/recommendations  to  the  DCS 
in  late  fall  2001. 

Other  Matters 

Attached  are  suggested  revisions  to  the  table  on  page  6  of  the  GAO  report  concerning 
estimated  costs  for  major  SSA  IT  acquisitions  for  fiscal  year  2001.  The  most  significant 
changes  to  the  table  involve  the  Financial  Accounting  System  (FACTS)  and  the 
Integrated  Human  Resources  System  (IHRS).  The  Budget  Exhibits  300B  included  all 
FACTS  information  technology  systems  (ITS)  budget  and  limitation  on  administrative 
expenses  (LAE)  workyear  costs  and  did  not  focus  only  on  the  FACTS  replacement  effort. 
The  cost  estimates  now  shown  for  FACTS  include  only  the  ITS  budget  costs  for  the 
FACTS  replacement  through  FY  2006  and  are  taken  from  the  systems  procurement 
request  documentation.  1HRS  is  shown  as  terminated. 

We  also  note  that  the  collection  of  projects  should  be  called  major  IT  "initiatives"  rather 
than  major  IT  "acquisitions,"  since  the  projects  include  in-house  IT  development  efforts 
(Title  II  Redesign)  as  well  as  IT  procurements. 

In  the  section  of  the  report  including  the  GAO  evaluation  of  SSA  information  security 
performance  (pages  57-62),  there  are  five  “grid  circle”  assessments,  and  comments 
noting  that  SSA  has  not  completed  development  of  policy/risk  models  and  technical 
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systems  standards  for  its  major  platforms.  Since  SSA  has  completed  development  of 
these  models  and  standards  (see  above  comments  on  recommendation  number  1 3),  we 
suggest  that  SSA  performance  for  these  five  areas  be  changed  to  a  “solid  circle” 
assessment. 
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To  Report  Fraud, 
Waste,  or  Abuse  in 
Federal  Programs 


The  first  copy  of  each  GAO  report  is  free.  Additional  copies  of 
reports  are  $2  each.  A  check  or  money  order  should  be  made  out  to 
the  Superintendent  of  Documents.  VISA  and  MasterCard  credit 
cards  are  accepted,  also. 

Orders  for  100  or  more  copies  to  be  mailed  to  a  single  address  are 
discounted  25  percent. 

Orders  by  mail: 

U.S.  General  Accounting  Office 
P.O.  Box  37050 
Washington,  DC  20013 

Orders  by  visiting: 

Room  1100 

700  4th  St.  NW  (corner  of  4th  and  G  Sts.  NW) 

U.S.  General  Accounting  Office 
Washington,  DC 

Orders  by  phone: 

(202)  512-6000 
fax:  (202)  512-6061 
TDD  (202)  512-2537 

Each  day,  GAO  issues  a  list  of  newly  available  reports  and 
testimony.  To  receive  facsimile  copies  of  the  daily  list  or  any  list 
from  the  past  30  days,  please  call  (202)  512-6000  using  a  touchtone 
phone.  A  recorded  menu  will  provide  information  on  how  to  obtain 
these  lists. 

Orders  by  Internet: 

For  information  on  how  to  access  GAO  reports  on  the  Internet, 
send  an  e-mail  message  with  “info”  in  the  body  to: 

info@www.gao.gov 

or  visit  GAO’s  World  Wide  Web  home  page  at: 
http://www.gao.gov 


Contact  one: 

•  Web  site:  http://www.gao.gov/fraudnet/fraudnet.htm 

•  e-mail:  fraudnet@gao.gov 

•  1-800-424-5454  (automated  answering  system) 
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